Passive FTP Connection... desperate :)

Question

Passive FTP Connection... desperate :)

Hello,
Have tried both Linksys and D-Link routers. Have TCP 20-22 ports open via the firewall of the router. Have X Server set to allow these ports open, can connect via sftp, but not ftp. Get the "disabling epsv4 for this connection." I've tried opening port 1024-65535 in the X Server firewall and opening the router DMZ for the server. No change. Turning off the firewall on X Server, no change. Running X.4.4 Server. Fetch won't run ftp either, sftp works. I've read and tried every response that made sense. Is there anyway to use ftp through a firewall with X server without secure ftp? Client has windows users that must access via ftp because they were used to this before going to OS X Server. Any help would be beyond appreciation. 🙂

MDD G4 1GHz

Posted on Feb 3, 2006 7:13 PM

Reply

Answer 1

Feb 4, 2006 8:25 AM in response to Gale Allen Jr

Also, ftp does work inside the firewall on pc and mac from the finder and IE on the pc. Outside the firewall is the issue. Again any ideas would be greatly appreciated. 🙂

Reply

Answer 2

Feb 4, 2006 11:28 AM in response to Gale Allen Jr

Success. I believe opening the tcp ports for the X Server firewall 1024-65535 resolved this. Read this in discussions. Also had to open DMZ on the router. Now getting access from terminal and finder. Need to try a pc. Prior to this was getting "disabling epsv4 for this connection." Would loose the connection. Still get this error, but was able to get into passive mode and perform the ls command on the directory.

Reply

Answer 3

MacLemon

Level 2

455 points

Feb 5, 2006 1:23 PM in response to Gale Allen Jr

This is far more than you need, subsequently opening ports that might put other services at risk.

The official IANA passive FTP port range is 49152-65534. It's enough to open those and forward to your server. No need to expose it in the DMZ either.

With a really descent FTP server (other than the one bundled with Mac OS X Server) you can even specify what range to use for passive FTP.
MacLemon

Reply

Answer 4

Feb 5, 2006 2:19 PM in response to MacLemon

Spoke to soon. Still failing. Worked yesterday on initial tests, but now fails again today. Without opening the DMZ, ftp never works. SFTP does though. Today, get the same, "disabling epsv4 for this connection." when I type ls command. Entering passive mode, gives port info, the goes 200 port command successful, hangs there then comes back with 421 service not available. I definitely have to come up with a windows sftp equivilent to save face. DMZ is open, but no luck. Tried even stopping the service, deleting the current ftp settings plist and using the default and restarting the service and resetting everything, no change. It is SFTP or bust for now. Hopefully someone will polish this service just a little bit more in the future.

Reply

Answer 5

Feb 6, 2006 10:39 PM in response to Gale Allen Jr

Conclusion. Removed Firewall setting for opening tcp 1024-65535. Removed server from DMZ. FTP works fine inside the firewall, which makes sense. For business customers, ftp floating around with clear text passwords probably isn't the best solution trying to get inside the firewall. I'm no expert at any of this, but sftp makes more sense. Works fine with fetch and am trying cyberduck also for the mac. For the pc, coreftp LE seems to work fine. I've definitely learned a lot more about port forwarding, firewalls and ftp in general. Apple's structure for ftp probably makes since firewall wise with all that is happening today. Hope this info can help others as they attempt to setup ftp support for clients in the future.

Reply

Answer 6

May 3, 2006 1:58 PM in response to Gale Allen Jr

This is a somewhat dead topic, but I encountered a similar problem on my FTP server at home. (Panther behind a Linksys router)

Clients that used Active by default (Like Windows command line ftp) worked fine.

Clients that used Passive by default (Like OSX shell ftp) wouldn't work until you issued either a "passive" or "epsv" command.

Figured out how to force the ftpd server in 10.3 (Panther) to NEVER use passive, and all is cool!

create or edit the file ftpd.conf in the /etc folder

put this line in the file:

passive all off

That's it. The next connection used active by default. I've also got the command:

umask all 002

in that same file since I want the old 10.2 behavior of granting write access to the group that uploaded the file.

Reply