ftplib problems with firewall

David Bolen db3l at fitlinxx.com
Tue Aug 1 17:25:51 EDT 2000 

"lance <lance_99_99@" <"no_spam>yahoo.com"> writes:

> That is not the case here I'm afraid. I have no 'pass in' rules at all
> (well, except for one loopback rule), everything that is allowed in by the
> firewall has been initiated by me:
> 
> pass out on <my NIC> proto tcp/udp from <my machine> to any keep state
> pass out on <my NIC> proto icmp from <my machine> to any keep state
> 
> These 2 rules allow all programs to function perfectly (FTP, ICQ, ...), and
> I cannot understand why ftplib won't work with these 2 rules.

A normal FTP client really shouldn't work with outbound rules only
either.  It should need the data connection just as much as ftplib.

Unless there's something going on in your firewall (I'm not that
familiar with the IP filter setup) that identifies the start of an FTP
request, and implicitly opens up a hole - either for the duration of
the control session, or just in response to seeing a PORT packet go
through - permitting the remote host to make the reverse connection.

(Oh, and I'm presuming you mean a real FTP client and not a web
browser to an FTP: URL, right?  The latter can be proxied differently
than a pure FTP client)

> In your previous post you mentioned the control connection and the
> dynamically allocated data connection. Only the control connection is
> allowed through, the data connection is indeed blocked (as confimed by
> tcpdump). Which also explains why I can change directories, but cannot
> download data or list the directory contents.

Since you mention tcpdump - it would be really interesting to see what
was happening with your other FTP client that works, when for example,
you do a directory listing, since that might give a hint as to how it
could possibly work with outbound rules only, since that's sort of
perplexing.  Maybe the IP filter is looking for a specific format of
the PORT command which is different with ftplib.  I'm just guessing
though :-)

> but obviously, this is not something I want in my rulelist; it really should
> work with the rules I have.

Well, barring any implicit rule creation as I mention above, with FTP
it shouldn't ("should" work that is).  That's an unfortunate
consequence of the actual FTP protocol - it needs to use connections
from the server on port 21 to arbitrary ports on the requesting
machine.

(FTP is also a pain in the neck for NAT boxes, since they have to
actually peek into the FTP packet stream and re-write the PORT command
packets which have the source IP address in ASCII :-))

--
-- David
-- 
/-----------------------------------------------------------------------\
 \               David Bolen            \   E-mail: db3l at fitlinxx.com  /
  |             FitLinxx, Inc.            \  Phone: (203) 708-5192    |
 /  860 Canal Street, Stamford, CT  06902   \  Fax: (203) 316-5150     \
\-----------------------------------------------------------------------/

More information about the Python-list mailing list