[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

comp.lang.python

ftplib question (cannot open data connection

Laszlo Nagy

1/11/2008 1:57:00 PM


Hi All,

I'm using a simple program that uploads a file on a remote ftp server.
This is an example (not the whole program):


def store(self,hostname,username,password,destdir,srcpath):
self.ftp = ftplib.FTP(hostname)
self.ftp.login(username,password)
self.ftp.set_pasv(False)
self.ftp.cwd(destdir)
fobj = file(srcpath,"rb")
destname = os.path.split(srcpath)[1]
self.ftp.storbinary("STOR "+destname,fobj)


The ftp server cannot use passive connections, and I can do nothing
about that. Here is the problem: I can connect to this ftp server from
my home computer, which is behind a NAT firewall. I can also connect to
it from another computer, but I'm not able to upload any file. I tried
to debug with a simple "ftp -v -d" command line program and apparently
the problem is with the "EPRT" command:

ftp> ls
---> EPRT |1|195.228.74.135|55749|
200 Port command successful.
---> LIST
425 Cannot open data connection.
ftp>

Well, the port number given by EPRT is bad - it is a closed port on this
computer. I can open a small port range for this, but I would not like
to open all ports and disable the firewall completely.

Here are my questions:

1. How can I instruct ftplib to use specific ports for incoming
connections? (For example, ports between 55000 and 56000).
2. How it is possible that the same program works from another computer
that is behind a NAT firewall?

Thanks,

Laszlo
2 Answers

Dennis Lee Bieber

1/11/2008 6:49:00 PM

0

On Fri, 11 Jan 2008 14:57:11 +0100, Laszlo Nagy <gandalf@shopzeus.com>
declaimed the following in comp.lang.python:

> The ftp server cannot use passive connections, and I can do nothing
> about that. Here is the problem: I can connect to this ftp server from
> my home computer, which is behind a NAT firewall. I can also connect to
> it from another computer, but I'm not able to upload any file. I tried
> to debug with a simple "ftp -v -d" command line program and apparently
> the problem is with the "EPRT" command:
>
> ftp> ls
> ---> EPRT |1|195.228.74.135|55749|
> 200 Port command successful.
> ---> LIST
> 425 Cannot open data connection.
> ftp>
>
> Well, the port number given by EPRT is bad - it is a closed port on this
> computer. I can open a small port range for this, but I would not like
> to open all ports and disable the firewall completely.
>
In active mode, you have more problems than just the random port
your client is telling the server to connect to... Your control
connection -- sending the "I'm listening on port ????" command -- goes
to the server control port 21.

BUT: active FTP does not just send the data to the port that was in
the random port that was sent to the server... it addresses to the port
you sent, but it sends its data response FROM port 20. This means the
response looks like a totally unsolicited connection attempt from the
outside -- the firewall doesn't even have enough information to
determine which machine (if multiple) inside the firewall should be
receiving the data; since the server is sending the data stream on its
port 20 and there is no active connection for server:20 to ANY
client:???? Even if you could tell the firewall to let in connections on
the specified port, the NAT tables won't know what inside IP to
translate the inbound server port 20...

Passive mode turns this around. The client connects to port 21, the
SERVER then picks a random (>1023) port number and sends it back to you
using the port 21 connection you already have open. The firewall sees
that it opened a clientIP:??? to server:21, and has received a server:21
packet for clientIP:???. Your client then "reconnects" to the server
using the port number the server sent to perform the data transfer -- a
firewall should not block this because the connection is initiated from
inside; it is not an unsolicited connection from the outside.

http://en.wikipedia.org/wiki/File_Transfer_Protocol#Connecti...
http://en.wikipedia.org/wiki/File_Transfer_Protocol#FTP_and_N...
--
Wulfraed Dennis Lee Bieber KD6MOG
wlfraed@ix.netcom.com wulfraed@bestiaria.com
HTTP://wlfraed.home.netcom.com/
(Bestiaria Support Staff: web-asst@bestiaria.com)
HTTP://www.bestiaria.com/

Laszlo Nagy

1/13/2008 10:29:00 AM

0


> BUT: active FTP does not just send the data to the port that was in
> the random port that was sent to the server... it addresses to the port
> you sent, but it sends its data response FROM port 20. This means the
> response looks like a totally unsolicited connection attempt from the
> outside -- the firewall doesn't even have enough information to
> determine which machine (if multiple) inside the firewall should be
> receiving the data; since the server is sending the data stream on its
> port 20 and there is no active connection for server:20 to ANY
> client:????
Yes, I know. But it DOES work from inside my NAT network. I have no clue
how. I'm sure that it is using active connections because this server
cannot use passive mode. It might be a very clever firewall that does
packet sniffing for "ftp PORT" commands. (?) Anyway, the problem is not
with this computer, it was a counter-example.
> Even if you could tell the firewall to let in connections on
> the specified port, the NAT tables won't know what inside IP to
> translate the inbound server port 20...
>
It does not need to. I can reconfigure the firewall to directly forward
all incoming TCP connections from a specified port range to a given IP
inside the internal network. But I do not even need to do that. The
problem is with a computer that is NOT behind NAT. It is a single
computer connected directly to the internet, but it has a firewall
installed. So everything would be fine except one thing: I should tell
ftplib which port(s) to open, and open those ports on my firewall. For
example, I can open TCP ports between 50000 and 60000, and then tell
ftplib to use ports between 50000 and 60000 in PORT and EPRT commands.
How can I do that? If that is not possible, then what is the workaround?
(Definitely I do not want to turn off the firewall completely on a
production server.)
> Passive mode turns this around.
Yep, but this ftp server cannot use passive mode and I cannot change this.

And finally, if this cannot be done in ftplib, then I would like to
suggest to add this method to Ftp objects. :-)

Best,

Laszlo