Fedora ftp install without a name server?
Ben Scott
dragonhawk at gmail.com
Thu Mar 23 15:17:00 EST 2006
On 3/23/06, Bill Freeman <f at ke1g.mv.com> wrote:
> An interesting additional data point is that if I tell the ftp
> client on Knoppix to use passive mode, then I can no longer do
> transfers.
Ah-ha! I, too, suspect the cause of that problem is also causing a
problem for the installer. I would expect the installer to use
passive mode, as it's generally considered the "better" of the two.
> I can log in, change directory, but I can't, for example,
> list the directory.
Right. Simple commands all go over the control channel, but data
transfers go over the data channel. That includes directory listings.
> I get "no route to host". Perhaps ... there is a firewall problem or a
> vsftpd configuration problem on the server.
I would guess a firewall problem. If there really was no route to
the host, it wouldn't work at all. If vsftpd wasn't listening at all,
you would get "Connection refused"; if it listened but then broke the
connection, that would be "Connection closed by remote host" or
similar. "No route to host" implies a firewall sent that ICMP message
as a reject mechanism.
Of course, it could be an inaccurate diagnostic. Those are common
enough. But still, I strongly suspect you're on the right path.
> Time for Bill to learn how passive mode works ...
Basically, FTP uses two TCP connections: A control channel and a
data channel. The client establishes the control channel to TCP port
21 on the server, and uses that for commands. The PORT (active)
and/or PASV (passive) commands are used to establish the data channel.
In active mode, the data channel is initiated by the FTP *server* to
the client. The client listens on an ephemeral port, and informs the
server of same (via PORT). The server initiates connections *from*
TCP port 20 to that ephemeral port on the client. Back when FTP was
first designed, using a port < 1024 was considered a security measure.
Since that obviously sucks for any number of reasons, passive mode
was created. PASV has the *server* listen on an ephemeral port, which
it tells the client about. The client then connects to that port for
the data channel.
Because FTP uses two TCP connections, it commonly gives firewalls
and NAT need fits. Both have to do "stateful packet inspection",
where they monitor the FTP control channel, extract the port numbers,
and allow them for the related connections.
-- Ben
More information about the gnhlug-discuss
mailing list