RE: Publishing FTP server

• From: "Quillman Shawn (RBNA/CSA1) *" <Shawn.Quillman@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 15 Sep 2005 11:33:27 -0500

 
Ah yes.  How many packets can we possibly stuff onto a thinwire network in the 
name of digital shoot-em-up?  TCP/IP made it so that playing Doom across the 
network wasn't so obvious.  No more 100% utilization.
 
Also made it so that we in IT could hop into the games without mgmt coming 
around to find out why the heck the network wasn't responding :-)

----- 
Robert Bosch Corporation 
Technical Systems Analyst (RBNA/CSA1) 
Corporate Sales Reporting Systems 
38000 Hills Tech Drive - Farmington Hills, MI 48331 - USA 
phone: 1 (248) 553-1164    fax: 1 (248) 848-6969 
shawn.quillman@xxxxxxxxxxxx 
http://www.bosch.us <http://www.bosch.us/>  

 

  _____  

From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx] 
Sent: Thursday, September 15, 2005 12:26 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Publishing FTP server


http://www.ISAserver.org


Haha great!

Actually I believe that Doom was the #1 cause of network failings in the 
enterprise back then. You know, when stuff were speaking IPX/SPX and Vines 
instead of TCP/IP.

And the FTP server that held the first Doom demo *did* melt.

 

And for a funny story, people were already flooding the FTP server *before* 
they uploaded it, preventing id software from getting in and providing the file.

Aaah, good times, good times.

 

  _____  

De : Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Envoyé : 15 septembre 2005 12:07
À : [ISAserver.org Discussion List]
Objet : [isalist] RE: Publishing FTP server

 

http://www.ISAserver.org

The Doom Demo part was great =) i'll start teaching FTP mentioning that if you 
don't mind!

 

 

 

 

Tiago de Aviz
SoftSell - Curitiba
(41) 3340-2363
www.softsell.com.br 
 
Esta mensagem, incluindo seus anexos, tem caráter confidencial e seu conteúdo é 
restrito ao destinatário da mensagem. Caso você tenha recebido esta mensagem 
por engano, queira por favor retorná-la ao destinatário e apagá-la de seus 
arquivos. Qualquer uso não autorizado, replicação ou disseminação desta 
mensagem ou parte dela é expressamente proibido. A SoftSell não é responsável 
pelo conteúdo ou a veracidade desta informação.


>>> gauthiera@xxxxxxxxxxxxxxxxx 15/9/2005 11:38 >>>

http://www.ISAserver.org

For the heck of it, could you try

1)     Accessing the ftp server from the internet using PASV (passive) mode? 
(The basic built-in ftp client in windows is braindead, and does not support 
this. Try a GUI client; make sure it is in passive mode.)

2)     Ensuring you have checked the "FTP Access Filter" on the FTP Server 
protocol of any Filtering Policy you might have in place

 

 

------- Some uncalled for explanations on the FTP protocol below. You shut up 
and read if you're interested :P -------------

 

FTP is a rather hard to work with protocol, I'll give you some explanations - 
although you probably already know this ;)

 

First, two connections are used, basically - port 20 and port 21. Port 21 is 
the control session, which is what you use to login and issue commands. 20 is 
used as the data port, which is any file transfer, or file listings. 
Apparently, you can talk on port 21 without problems, but fail to establish a 
data connection on port 20.

 

In default PORT mode, you (the client) are in fact acting as the server, from a 
TCP point of view at least. You connect to the FTP server on port 21, 
authenticate, then request a directory listing.

 

*The Server* will then open a connection to *the client machine* on port 20 to 
send files. That was done as a design decision because back then, putting the 
TCP/IP connection load on the client rather than the server would prevent the 
server from melting when, say, id software released their doom demo. (Which 
happened anyways. But you know the drill.)

 

This doesn't work very well with NATs (which were probably inexistent at the 
time) - so there are two things which were brought up for this very purpose.

 

PASV mode restores the behaviour you'd expect from a client/server TCP 
connection and the client is asked to connect to the server on port 20 when a 
directory listing is issued.

 

While this will work great when the user is behind a NAT, and fix all issues of 
the NAT not opening port 20 because it sees no reason to, it will sometimes be 
problematic in a situation where you have:

 

       Client Computer ------- NAT ------ [The internet] -------- NAT --------- 
FTP Server

 

The client computer cannot use PORT for it is behind a NAT. So PASV must be 
used. However the FTP server will acknowledge the request for passive 
connections, and return its IP address to the client for it to connect to. 
However, in the case of many FTP servers, the server will return its *private 
RFC address* (i.e. 172.16.12.8 - substitute for your favorite private subnet) 
which the client computer obviously cannot connect to.

 

Any firewall/gateway/proxy worth its salt will handle this by farting around 
with the FTP datagrams (both hands deep in Layer 3, beyotch!) and substitute 
the address, or use other arcane magic to make it work.

 

ISA has this, and it is that very "FTP Access Filter" option, apparently. Cisco 
PIXes possess the "fixup protocol ftp 21" configuration line, which works like 
ass right now, at least in my home setup (it works if the client is behind a 
NAT and fails if the client is directly on the internet. Search me.)


As Jim suggested, running some kind of packet dump will tell you the answer 
quite clearly. But your client hanging on "ls" is proof that something is up 
with the data connection.

 

Hope this helps,

 

--

Alexandre Gauthier

Analyste Réseau / Network Analyst

 

gauthiera@xxxxxxxxxxxxxxxxx

Québec Loisirs - www.quebecloisirs.com <http://www.quebecloisirs.com/> 

 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
gauthiera@xxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
shawn.quillman@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

Other related posts:

• » Publishing FTP server
• » RE: Publishing FTP server
• » RE: Publishing FTP server
• » RE: Publishing FTP server
• » RE: Publishing FTP server
• » RE: Publishing FTP server
• » RE: Publishing FTP server
• » RE: Publishing FTP server
• » RE: Publishing FTP server

1. Home
2. isalist
3. Archive
4. 09-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---