CLI FTP Client EPSV

Question

CLI FTP Client EPSV

Hi Community,

I figured out that my CLI FTP client try to connect to a FTP server first in extended passive mode (Both are here in the same location). In this state it is not possible to get the directory listening for example. It seems that the data channel is being blocked. If I disable this with the epsv command I can use the FTP client without any problems.

But if I use the CLI FTP client outside our organization and have to establish the connection over our border router, the connection works fine without sending the epsv command. If I use a third party FTP client like cyberduck, it doesn't matter where I am sitting (in the LAN or outside). It just works.

Can anybody explain why my (CLI) FTP client try to establish a connection with EPSV when we are in the same LAN as the FTP server is, and over the internet the EPSV mode isn't used.

Thanks in advance & Bye Tom

2009 MacPro; 2010 MacBookPro; 2009 MacMini; iPhone; iPod; iWhatEver, Mac OS X (10.6.4)

Posted on Aug 25, 2010 12:20 AM

Reply

Answer 1

Aug 25, 2010 1:48 PM in response to prontosystems

according to the manpage it is the default setting for the ftp(1) command.
If you would like to disable it just to the following:


echo "epsv4 off" > ~/.netrc
chmod 600 ~/.netrc

Reply

Answer 2

Camelot

Level 9

58,899 points

Aug 25, 2010 2:02 PM in response to prontosystems

Can anybody explain why my (CLI) FTP client try to establish a connection with EPSV when we are in the same LAN as the FTP server is, and over the internet the EPSV mode isn't used.

I think the real answer to your question is No - no one can explain this. 🙂

FTP is a dog. The whole passive/EPSV/active options are skanky hacks to overcome the poor design of FTP which was seemingly developed when firewalls weren't invented and security wasn't even a distant concern.

IMHO you should migrate to a more modern transfer protocol.

Reply

Answer 3

Aug 25, 2010 2:26 PM in response to prontosystems

I agree with Camelot. If you like your cli ftp client, you might be interested in trying sftp. It uses an ssh transport and is similar to ftp.

Reply

Answer 4

Aug 25, 2010 3:38 PM in response to Cole Tierney

Hi,

okay thanks for your answers. I know that FTP is an old protocol but it is pretty fast, even today. My intention to ask this question was that I was asked this question by a trainee and I tried to give a competent answer but when FTP is a dog... 😉

I know this because I configured a Ipchains firewall for a small company maybe ten years ago and Ipchains wasn't the best choice for serving a FTP server behind this kind of firewall, neither in passive mode nor in active mode.

I also read that using extended passive mode first is default in the built in CLI FTP client but I'm wondering every time that this seems not to be true when the connection comes from the internet side.

Thx & bye Tom

Reply

Answer 5

mdahlman

Level 1

0 points

Oct 18, 2010 3:29 PM in response to prontosystems

Has anyone had success with this? I tried Nils's example exactly as it's listed, and it didn't work for me. Fortunately, it pointed me to the relevant points in the man pages. Reading that I can see what the correct solution is... except that it doesn't work. I must be doing something wrong. Probably something simple. But I cannot figure out what's wrong.

Symptom:
When I ftp to the server FTP is in extended passive mode. I can tell this is true because if I try 'ls' immediately after logging in there is a very long delay. I see something like this:
ftp> ls
229 Entering Extended Passive Mode (|||37360|)
ftp: Can't connect to `72.32.74.66': Operation timed out
200 EPRT command successful
150 Opening ASCII mode data connection for file list
drwx------ 12 bizdev bizdev 4096 Oct 7 20:35 .
...

Alternatively, if I login and then enter 'epsv' or 'epsv4 off' and then enter try 'ls' everything works nicely:
ftp> epsv4 off
EPSV/EPRT on IPv4 off.
ftp> ls
227 Entering Passive Mode (72,32,74,66,146,186).
150 Opening ASCII mode data connection for file list
drwx------ 12 bizdev bizdev 4096 Oct 7 20:35 .
...

*Supposed solution:*
Edit the .netrc file to contain the needed info. After a few tries I have this:
$ more ~/.netrc
machine ftp.somewhere.com
login myuser
password mypassword

default
macdef init
epsv4 off

The 'macdef init' section is taken direct from the FTP man pages. There is a blank line following 'epsv4 off'. I'm certain that file has appropriate permissions and is being read because it picks up my login and password. I had to enter these manually before.

At this point I could give up and just resign myself to typing 'epsv' after logging in every time. But it's killing me. Surely I'm just missing something obvious. Can anyone see what I'm doing wrong?

Thanks,
Matt

Reply

Answer 6

MrHoffman

Level 10

148,345 points

Oct 18, 2010 3:51 PM in response to mdahlman

ftp is a steaming and fetid scheme, largely suitable a means for corrupting files, and for exposing passwords to all that care to know, and specifically incompatible with modern networks and firewalls. The protocol is horrid. The security is horrid. The interoperation is horrid.

That ftp also occasionally successfully transfers a file should be viewed as a fluke.

Use sftp. Seriously. Please let ftp die.

Reply

Answer 7

mdahlman

Level 1

0 points

Oct 19, 2010 11:31 AM in response to MrHoffman

I don't know FTP too well. I'm willing to concede that MrHoffman's points are perhaps entirely correct.

But the advice of "Use sftp" seems to be of limited value when I'm connecting to an existing FTP server. I can certainly inform the site owner of the steaming and fetid state of his (or her) horrid site. I expect that he or she be thankful for the advice.

Assuming for a moment that owner of the site is unable or unwilling to convert to SFTP immediately, I'd still like to configure my FTP preferences better now. Clearly I'm doing something wrong. I'll be grateful to anyone that provide an answer or suggestions that point in the right direction.

Reply

Answer 8

MrHoffman

Level 10

148,345 points

Oct 20, 2010 7:25 AM in response to mdahlman

I've had no problems getting folks to configure sftp, because they usually hate ftp, and they have had problems with ftp, and because most of the folks are usually also wonderfully vulnerable to the +ftp password gambit+; where you point out that anyone at the coffee shop or customer office or elsewhere has complete access to the ftp server.

The remaining holdouts might point to problems with Windows access (which inexplicably omits sftp stuff), which is where I point to [Filezilla|http://filezilla-project.org>.

And whether they want their file server to fill with dreck (just as soon as those ftp passwords are breached) and whether they'd rather have an easier time punching (more secure) traffic through their (and their customer's or staffer's) firewalls.

Most folks don't realize just how bad ftp is. Look around here in the forums; ftp bugs are a popular topic.

Reply

Answer 9

mdahlman

Level 1

0 points

Oct 29, 2010 4:53 PM in response to MrHoffman

For future readers of this thread... here's the answer:
My earlier attempt reflected a misunderstanding of how the .netrc file applies to different machines. The 'default' section applies only to machines not explicitly listed. I mistakenly thought it applied to all connections. Therefore I get my desired behavior with this:

$ more ~/.netrc
machine ftp.somewhere.com
login myuser
password mypassword
macdef init
epsv off

default
macdef init
epsv off

Woo hoo! No more giant delay before listing files. (I don't need to remember to type 'epsv' each time.)

Reply