0

I would like to connect to an FTP destination and write a file to it. FTP abruptly closes after entering PASV mode. There is nothing wrong with the FTP server setting as such. I am not really sure what I can fix on the FTP server to fix this problem. Any ideas?

enter image description here

lonelymo
  • 3,972
  • 6
  • 28
  • 36

1 Answers1

1

Q: Is the IP address in the client message the same as the servers IP the client accessed or is it the non-public IP address of the server? --- A: It is the non-public IP that the client gets.

This sounds like a FTP server behind a NAT which provides the internal private IP address in the reply for the PASV command. Since the client is probably not in the same private network this private address is not reachable by the client. Thus the client gets the following error:

"java.net.SocketPermission" "10.xx.xxx.xxx:123456" "connect,resolve"

FTP where one side is behind NAT conflicts with the general architecture of the FTP protocol, that is dynamically created data channels where the endpoints get announced within the control connection. If only one of the peers is behind NAT you can usually work around it by using either passive mode (client behind NAT) or active mode (server behind NAT). If both peers behind NAT or if you want to use passive/active mode in an unsuitable scenario it gets more complicated and you usually need either helpers on the router/firewall or specific configurations for the client/server and lots of ugly port forwarding.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Thanks for the detailed explanation. So the bottom line is, since the server cannot come out of the NAT and the client cannot go into the NAT- switch to Active mode? – lonelymo Jan 20 '15 at 19:36
  • 1
    If the client is in a public network and has no firewall or similar thing in front of it (or locally) then you could use active mode. Otherwise probably not. – Steffen Ullrich Jan 20 '15 at 20:18
  • sorry, I may have misled you. I rechecked it again. The IP address in the client message and the IP address the client pings is the same - just that the ports are different. – lonelymo Jan 20 '15 at 20:59
  • 1
    According to the picture you show is the client connects from the public IP `166.78.67.143`. The IP from the PASV log message on the clients starts with `10.`, but 10/8 is a private network and not routable in the internet. But a client with a public routable IP can not connect to a private IP. – Steffen Ullrich Jan 20 '15 at 21:41
  • But the public ip is whitelisted in the private network. So i am able to make calls - the log screenshot also depicts that. – lonelymo Jan 20 '15 at 21:43
  • 1
    I assume you mean port forwarding not white listing, because a simple white listing does not change that there is no route. And this port forwarding does not change the fact, that your FTP server announces an IP as endpoint, which has no route from the client. I recommend that you study the various links [google has about this topic](https://www.google.com/?q=ftp%20server%20behind%20router%20passive%20mode) to understand it a bit more. – Steffen Ullrich Jan 20 '15 at 22:18