ftplib question (cannot open data connection)

Laszlo Nagy gandalf at shopzeus.com
Sun Jan 13 05:29:23 EST 2008 

> 	BUT: active FTP does not just send the data to the port that was in
> the random port that was sent to the server... it addresses to the port
> you sent, but it sends its data response FROM port 20. This means the
> response looks like a totally unsolicited connection attempt from the
> outside -- the firewall doesn't even have enough information to
> determine which machine (if multiple) inside the firewall should be
> receiving the data; since the server is sending the data stream on its
> port 20 and there is no active connection for server:20 to ANY
> client:???? 
Yes, I know. But it DOES work from inside my NAT network. I have no clue 
how. I'm sure that it is using active connections because this server 
cannot use passive mode. It might be a very clever firewall that does 
packet sniffing for "ftp PORT" commands. (?) Anyway, the problem is not 
with this computer, it was a counter-example.
> Even if you could tell the firewall to let in connections on
> the specified port, the NAT tables won't know what inside IP to
> translate the inbound server port 20...
>   
It does not need to. I can reconfigure the firewall to directly forward 
all incoming TCP connections from a specified port range to a given IP 
inside the internal network. But I do not even need to do that. The 
problem is with a computer that is NOT behind NAT. It is a single 
computer connected directly to the internet, but it has a firewall 
installed. So everything would be fine except one thing: I should tell 
ftplib which port(s) to open, and open those ports on my firewall. For 
example, I can open TCP ports between 50000 and 60000, and then tell 
ftplib to use ports between 50000 and 60000 in PORT and EPRT commands. 
How can I do that? If that is not possible, then what is the workaround? 
(Definitely I do not want to turn off the firewall completely on a 
production server.)
> 	Passive mode turns this around. 
Yep, but this ftp server cannot use passive mode and I cannot change this.

And finally, if this cannot be done in ftplib, then I would like to 
suggest to add this method to Ftp objects. :-)

Best,

   Laszlo

More information about the Python-list mailing list