APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

ftp passive ftp nat firewall


From: "Brian K. White" <brian@aljex.com>
Newsgroups: comp.unix.sco.misc
References: <3bb34600.26529887@nntp.onyx.net>
<3bb36544.5370820@news.sf.sbcglobal.net>
<3bb43a9d.3091913@nntp.onyx.net>
<3bb4b0c7.6462584@news.sf.sbcglobal.net> Subject: Re: Ftp between SCO. 550 Requested action not taken charset="Windows-1252" X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Message-ID: <rw4t7.6451$c8.906134@news1.rdc1.nj.home.com> Date: Fri, 28 Sep 2001 19:50:47 GMT "Matt Schalit" <mschalit@pacbell.net> wrote in message news:3bb4b0c7.6462584@news.sf.sbcglobal.net... > On Fri, 28 Sep 2001 08:55:19 GMT, iains@pciltd.co.uk (Iain Sharp) wrote: > > >On Thu, 27 Sep 2001 17:44:00 GMT, mschalit@pacbell.net (Matt Schalit) > >wrote: > > > >>On Thu, 27 Sep 2001 15:36:57 GMT, iains@pciltd.co.uk (Iain Sharp) wrote: > >> > >>> > >>>I am trying to configure ftp between two SCO 5.0.6 machines, each with > >>>a firewall and NAT in place. > >>> > >>>I have worked out that I have to switch passive mode on, or remote > >>>commands fail... (such as ls) > >>> > >>>I can get files (using get), but when I try to put them (using put) it > >>>returns the error message :- > >>>550 Requested action not taken > >>> > >>>I altered inetd.conf at the remote site, and added a -d to the ftpd. > >>>syslog shows no indication of recieving the put command. > >>> > >>>I have asked the remote site to check if their firewall could be > >>>blocking this transaction (and the delete transaction which returns > >>>the same error) > >>> > >>>Where should I look next? > >>> > >>>Iain Sharp > >> > >> > >>Increase the logging of all commands in /etc/ftpaccess, > >> > >> log commands real,anonymous > >> > >>You got a response from the server, "550 Requested action not taken." > >>I think it got the request. Perhaps you need to enable incoming > >>data to be put. Perhaps you need to allow delete, rename, chmod, > >>etc., in ftpaccess. > > > >Neither of these appear to have made a difference, to either the log > >file or the actions. > > > >Here's the transaction as it appears from either side. > > > >Iain > > > >My side of the transfer. > >Connected to remoteserver. > >220- > >220 remoteserver FTP server (Version 2.1WU(1)+SCO-2.6.1+-sec) ready. > >Name (remoteserver:localuser): remoteuser > >331 Password required for remoteuser. > >Password: > >230 User remoteuser logged in. > >Remote system type is UNIX. > >Using binary mode to transfer files. > >ftp> passive > >Passive mode on. > >ftp> lc <directory> > >Local directory now <directory> > >ftp> put wrapping.Z > >local: wrapping.Z remote: wrapping.Z > >227 Entering Passive Mode (nnn,nnn,nnn,nnn,212,194) > >550 Requested action not taken > >ftp> quit > >221 Goodbye. > > > > > >The remote log file (from /usr/adm/syslog) > > > >Sep 28 09:50:09 remoteserver ftpd[1979]: Kerberos V5: error while > >constructing principal name: Unknown code DCE:krb 135 (336760967) > >Sep 28 09:50:09 remoteserver ftpd[1979]: <--- 220- > >Sep 28 09:50:09 remoteserver ftpd[1979]: > >Sep 28 09:50:09 remoteserver ftpd[1979]: <--- 220 > >Sep 28 09:50:09 remoteserver ftpd[1979]: remoteserver FTP server > >(Version 2.1WU(1)+SCO-2.6.1+-sec) ready. > >Sep 28 09:50:09 remoteserver ftpd[1979]: command: AUTH KERBEROS_V5^M > >Sep 28 09:50:09 remoteserver ftpd[1979]: <--- 334 > >Sep 28 09:50:09 remoteserver ftpd[1979]: Using authentication type > >KERBEROS_V5: ADAT must follow > >Sep 28 09:50:11 remoteserver ftpd[1979]: command: USER username^M > >Sep 28 09:50:11 remoteserver ftpd[1979]: <--- 331 > >Sep 28 09:50:11 remoteserver ftpd[1979]: Password required for > >username. > >Sep 28 09:50:11 remoteserver ftpd[1979]: USER username > >Sep 28 09:50:12 remoteserver ftpd[1979]: command: PASS ****^M > >Sep 28 09:50:12 remoteserver ftpd[1979]: PASS password > >Sep 28 09:50:12 remoteserver ftpd[1979]: <--- 230 > >Sep 28 09:50:12 remoteserver ftpd[1979]: User username logged in. > >Sep 28 09:50:12 remoteserver ftpd[1979]: command: SYST^M > >Sep 28 09:50:12 remoteserver ftpd[1979]: SYST > >Sep 28 09:50:12 remoteserver ftpd[1979]: <--- 215 > >Sep 28 09:50:12 remoteserver ftpd[1979]: UNIX Type: L8 (SCO UNIX > >Release 3.2v5.0.6 [on PentIII], KID 2000-07-27). > >Sep 28 09:50:13 remoteserver ftpd[1979]: command: TYPE I^M > >Sep 28 09:50:13 remoteserver ftpd[1979]: TYPE Image > >Sep 28 09:50:13 remoteserver ftpd[1979]: <--- 200 > >Sep 28 09:50:13 remoteserver ftpd[1979]: Type set to I. > >Sep 28 09:50:33 remoteserver ftpd[1979]: command: PASV^M > >Sep 28 09:50:33 remoteserver ftpd[1979]: PASV > >Sep 28 09:50:33 remoteserver ftpd[1979]: <--- 227 > >Sep 28 09:50:33 remoteserver ftpd[1979]: Entering Passive Mode > >(nnn,nnn,nnn,nnn,14,150) > >Sep 28 09:51:50 remoteserver ftpd[1979]: command: QUIT^M > >Sep 28 09:51:50 remoteserver ftpd[1979]: QUIT > >Sep 28 09:51:50 remoteserver ftpd[1979]: <--- 221 > >Sep 28 09:51:50 remoteserver ftpd[1979]: Goodbye. > > > > Ok, I don't see anything either, except for > the fact that the passive port's don't match. > One side says, > > >227 Entering Passive Mode (nnn,nnn,nnn,nnn,212,194) > > but the other side says, > > >Sep 28 09:50:33 remoteserver ftpd[1979]: Entering Passive Mode (nnn,nnn,nnn,nnn,14,150) > > > Those translate into: 255 * 212 + 194 = 54254 > and 255 * 14 + 150 = 3720 > > So one side is saying, "I'll listen for you to start a connection on > port 3720, but the other side got the message as, "I'll listen for you > to start a connection on port 54254." > > Why the difference? > > 1) You cut and pasted the wrong log section. > > 2) You have a router doing NAT between server and client.


what kind of routers cause these problems?
I have most of my customers as well as myself set up with a unix server on a
non-routable lan with a router doing nat to a dsl or cable or t1, and the
routers are set to forward incoming traffic on some or all ports to the unix
box local IP

the routers are all different,
 * a redhat 6.2 box here in my office
 * cmmodity linksys, d-link, and netgear $150 wonder boxes
 * dsl router/modems from netopia, flowpoint, lucent

in all cases I can ftp directly from one unix box behind nat, over internet,
to another unix box behind nat, without any trouble at all, either
direction... I do it all day every day.

the "unix" boxes are mostly open server 5.0.4, some 5.0.5, a few 5.0.6, a
few linux, and a few FreeBSD

I never explicitly configure any psssive options in the ftp clients, though
I never looked to see if they come configured for passive by default.



I never have trouble ftping from the windows machine on the lans either.

I have never touched an ftpaccess file in my life yet.

Just curious because I do see other people and various docs mention special
difficulties with ftp and nat, and I just have never seen any problem so
far.

Maybe I'm just lucky that I got in the game late enough that by now all
routers already include some kind of special knowledge of the ftp protocol
in order to automagically work around the problem? I know on linux, part of
the rc script that sets up the nat loads a special module for ftp along with
a few others, though I don't know what it does exactly. but on most of the
routers I set up, I just include port 21 as just another of the tcp ports to
forward into the unix box, without saying anything special about it.


--
Brian K. White  --  brian@aljex.com  --  http://www.aljex.com/bkw/
+++++[>+++[>+++++>+++++++<<-]<-]>>+.>.+++++.+++++++.-.[>+<---]>++.
filePro BBx  Linux SCO  Prosper/FACTS AutoCAD  #callahans Satriani





Got something to add? Send me email.





(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> ftp passive ftp nat firewall ––>Re: Ftp between SCO. 550Requested action not taken



Increase ad revenue 50-250% with Ezoic

Kerio Samepage


Have you tried Searching this site?

Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us