Firewall and FTP

Hi Mike,

I have failed in using a number of FTP apps. Cyberduck and Fetch will work but only if I turn off the firewall. I have tried toggling passive/active. I presume I must be missing a trick here. Is there a way to use these without switching off the firewall?

A short answer is: enable FTP access by checking the apropriate checkbox in System Preferences-->Sharing-->Firewall.

Unless you provide a detailed description of your network, how you want to use FTP etc, we can't give you specific advice...

You can read this discussion initiated by another user that wants to run an FTP server: http://discussions.apple.com/thread.jspa?threadID=446351&tstart=0



Macs running 9.x, Macs running 10.4.x, SGI workstations running Irix 6.5.x

Mike,

I have a PB on a home wireless network. I use airport to connect to a netgear DG834g router. I am trying to upload files to my free space at Wanadoo. I had no trouble doing so with terrapin on a windows XP machine from my home network, but since my migration to mac I want to do it from my new machine rather than a PC.

You're talking about uploading files to a remote FTP server. All outgoing connections (from your Mac to the Internet) are allowed by default on MacOS X (unless you customized the firewall)

I have already checked the FTP access box in sharing (but I presume that is for use if I am using my laptop as the ftp host(?) and I am not up to that technically!) and the other checked boxes are personal file sharing, windows sharing and itunes sharing. The internet tab of sharing has internet sharing off.

Yes, unless you want to turn your mac into an FTP server, there's no point in enabling (allowing) the FTP Access in your Firewall Settings...

Cyberduck and Fetch will work but only if I turn off the firewall...
I presume I must have some setting not right on my powerbook's firewall, since terrapin can get through the router and do its business.

Are you using MacOS X's built-in Firewall or a third party one (LittleSnitch, NetBarrier etc?)

What's the error you're getting when you try to connect to the FTP server?



Macs running 9.x, Macs running 10.4.x, SGI workstations running Irix 6.5.x

As your behind a router you don't really need to have your mac's built in firewall turned on anyway. A NAT router firewalls you.

Most netgear routers have a SPI firewall built into them thesedays.

Hi Mike,

Firstly, I always refer people to the web page http://slacksite.com/other/ftp.html which shows how ftp sessions work.

The problems you are having would seem to be due to the server you are trying to talk to not using/allowing "passive" FTP.

Double check any log output from a session and you should see both: your client software sending a "PASV" command to the server, and an affirmative response from the server.

You may also like to go back to the Terrapin software on the Windows box and see if it has passive mode selected.

If for some reason the server requires you to be in "active" mode, you will need to have the router set up to send incoming requests from the FTP server to your Mac, and your Mac firewall set to allow those incoming requests.

Graham

I have observed something similar tonight. I want to be able to access my iMac remotely using FTP. So, I have set up my System Preferences/Sharing/Services to enable FTP Access. That opens up port 21 through the OS X firewall. Following the instructions, I have confirmed that, in System Preferences/Network/AirPort/Proxies, the box for "Use Passive FTP Mode (PASV)" is checked. In my AirPort Base Station configuration, I have port 21 (and 20, for good measure) forwarded to my iMac (at 192.168.1.2).

I have a Motorola SB5101 cable modem (no built-in router functionality), an AirPort Extreme Base Station (firmware version 5.7). My iMac is connected using AirPort, not an ethernet cable.

Here's the interesting part: using Cyberduck, or using the command-line ftp client through terminal, I can connect to my "local" IP address (192.168.1.2, inside my local network) just fine. However, if I try to ftp to my "external" IP address (the address assigned to my AirPort Extreme base station by my ISP), which should be forwarded on ports 20 and 21 to my iMac, it doesn't work if the OS X firewall is on. I can reach the server and log in, but cannot get an 'ls' to work. It goes into "extended passive mode" and just hangs there. Cyberduck tells me there's a username/password problem, but I don't believe that based on what I've seen in the command line ftp client.

If I turn the OS X firewall off completely, it works like a charm.

I'm not really too worried, because I had someone else (outside my local network) create an ftp connection to my AirPort's IP address, and they were able to log in and see files using the ftp client built into Finder. So the port forwarding is working, and the firewall is not blocking them.

Just to recap: Using several ftp clients, including two included with OS X, I can't create an ftp connection with the OS X ftp (tnftpd) server running on the same machine, if I ask the client to go out and come back in through the IP assigned to me by my ISP, as long as the OS X firewall is on. But, someone else can connect to my system from "the outside" when my firewall is on.

Does this make sense to anyone? Why would this be, and could it be related to the issue raised by the original poster in this thread?

Thanks.

Hi, I've got the same problem when trying to create a connection to an FTP server using my MacBook. And I found out that it's my hardware firewall (router) which is blocking the connection - correctly!

Reason:
As described above, authentication works fine. But then, although I'm using passive connection mode (yes, definately), Cyberduck (or any other FTP app I tried) tries to connect to a random port on the FTP server to receive data - which is fine. The actual problem is, that the MacBook is not using port 20 as a source port, but another random port. But the firewall is only configured to only allow connections to random ports, if the source port is port 20.

So, my question is: Does anyone know how to tell the MacBook to use port 20 as a source port for the outgoing connections?

If you are having this problem with some FTP servers, but not with others, the following may help.

It turns out that choosing between "active" and "passive" mode is not enough. Passive connections can be intiated by the ftp client when it issues either an "EPSV" or "PASV" request to the server. By default Tiger's ftp client tries "EPSV" first, and then, if that fails, "PASV".

Unfortunately, some ftp servers will break the connection when they see an "EPSV" request, so that the client never gets a chance to try "PASV".

Tiger's command line ftp client can be made to try "PASV" first, but only in interactive mode; there are no command line options or environment variables to trigger this behaviour. In interactive mode, at the "ftp>" prompt, enter "epsv4". Then continue as usual with your cd, ls, and get commands. If the problem I describe here is what ails you, this should cure it. If this doesn't cure it, you have another problem.

BTW, I believe that some scripts break because of this and cannot be fixed until the ftp client has a command line option or environment variable to trigger the PASV-first behaviour. Another BSD, OpenBSD, chose to use the command line option approach (-E).