ftp error: EPSV command not understood

English Network/Internet
#1

My FTP connection from an OpenSUSE 10.3 box is giving me error until it
actually times out. If I type “dir” or “ls” or “mget” I get


500 'EPSV': command not understood.
227 Entering Passive Mode (10,24,19,10,189,240)
200 PORT command successful.

421 Service not available, remote server timed out. Connection closed

There is no firewall on my OpenSUSE client machine.

If I try ftp -A (to enter active mode) and type “dir” I get


500 'EPRT |1| <client's IP> |26086|': command not understood.
200 PORT command successful.

421 Service not available, remote server timed out. Connection closed

If I do “rpm -qa | grep -i ftp” I can see

tftp-0.48-39
lukemftp-1.5-660

I am logged in as a normal user on the client box. And I looked at the /etc/ftpusers list and my username doesn’t appear there.

I also tried curl (“curl --verbose --user username”:"password
ftp://ftp.domain.com/system/data.txt.839329 --output somefile

I get error:


500 'EPSV': command not understood.
* disabling EPSV usage

and then it exits with error: “curl: (7) couldn’t connect to host”

It doesn’t seems like an issue with my router’s ACL list…as I can at least
connect the ftp server and I tried connecting to the openbsd ftp server
and that works fine.

I have also added “ftp : ALL” and “ftp-data : ALL” to the /etc/hosts.allow on my
client machine - no luck.

tcpdump shows if I try to connect to “ftp.domain.com” it actually takes me to “ftp2.admin.domain.com” and if I try to connect to “ftp2.admin.domain.com” directly it actually times out. I don’t have any control over the server side. And ftp to “ftp.domain.com” works fine from another box.

Thanks for any help.

#2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FTP is an interesting beast. See the wikipedia.org entry for full
details but here’s a small intro. First, FTP uses one port for
commands, and one port for data transfers (actual files, ls/dir output,
etc.). The problem with this is that in active mode the server actually
makes a connection back to the client machine on some random high port
for this connection to work. The server’s source port is TCP/20 even
though the rest of the connection is over TCP/21. This means any client
machine with a firewall that doesn’t inspect FTP traffic to see which
port should be opened will see this as an unsolicited (intruder)
connection coming from some random box on the network/Internet and, of
course, block it. So along comes Passive mode, which is the default in
most worthwhile FTP clients, which has the server instead send the
client a port to which the client can then make a connection. This
means every FTP client machine in the world doesn’t need to know beans
about packet inspection or opening the firewall somehow (assuming it
even has that ability, which it typically doesn’t and shouldn’t) and
makes life nice… AS LONG AS the server has the port it sends to the
client open to the world. FTP servers, therefore, often have most of
their ports unblocked by a host-based or network-based firewall, and all
those ports are closed unless a connection is made.

In your case if your server has a firewall enabled as it probably does
and should by default then it is the cause. Look in /var/log/firewall
for messages about this on either your host or client machine, but your
host specifically if you are using Passive mode which is the default.
Stop the server’s host-based firewall (‘rcSuSEfirewall2 stop’ as the
‘root’ user) and see if that fixes things. If so you know you need to
open up the ports the FTP server will use.

Good luck.

henders254 wrote:
> My FTP connection from an OpenSUSE 10.3 box is giving me error until it
>
> actually times out. If I type “dir” or “ls” or “mget” I get
>
>
> Code:
> --------------------
>
> 500 ‘EPSV’: command not understood.
> 227 Entering Passive Mode (10,24,19,10,189,240)
> 200 PORT command successful.
>
> 421 Service not available, remote server timed out. Connection closed
>
> --------------------
>
>
> There is no firewall on my OpenSUSE client machine.
>
> If I tried ftp -A (to enter active mode) and type “dir” I get
>
>
> Code:
> --------------------
>
> 500 ‘EPRT |1| <client’s IP> |26086|’: command not understood.
> 200 PORT command successful.
>
> 421 Service not available, remote server timed out. Connection closed
>
> --------------------
>
>
> If I do “rpm -qa | grep -i ftp” I can see
>
> tftp-0.48-39
> lukemftp-1.5-660
>
> I am logged in as a normal user on the client box. And I looked at the
> /etc/ftpusers list and my username doesn’t appear there.
>
> I also tried curl (“curl --verbose --user username”:"password
> ftp://ftp.domain.com/system/data.txt.839329 --output somefile
>
> Here also I get error:
>
>
> Code:
> --------------------
>
> 500 ‘EPSV’: command not understood.
> * disabling EPSV usage
>
> --------------------
>
>
> and then it exits with error: “curl: (7) couldn’t connect to host”
>
> It doesn’t seems like an issue with my router’s ACL list…as I can at
> least
> connect the ftp server and also I tried connecting to the openbsd ftp
> server
> and that works fine.
>
> I have also added “ftp : ALL” and “ftp-data : ALL” to my
> /etc/hosts.allow on my
> client machine - no luck.
>
> tcpdump shows if I try to connect to “ftp.domain.com” it actually takes
> me to “ftp2.admin.domain.com” and if I try to connect to
> “ftp2.admin.domain.com” directly it actually times out. I don’t have any
> control over the server side. And ftp to “ftp.domain.com” works fine
> from another box.
>
> Thanks for any help.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI/7gT3s42bA80+9kRAsB8AJwOFjZvvzGwfmjHEXprKv/n4RHUAwCfZ3Gl
UyEftplIZ6xzRD9P6Z5vpGo=
=b3HB
-----END PGP SIGNATURE-----

#3

Just to add to what ab wrote, if you are running a server with a firewall you will need to load the nf_conntrack_ftp module, and in addition if your firewall is NATing, you need the nf_nat_ftp module. And if you have a border firewall, then you need to do the same there. And if that firewall is not Linux, then you have to do the equivalent. If that is not possible, you can open a range of ports the server is supposed to use and make the server restrict itself to those ports. This is an option with some ftp servers like vsftpd, and is needed when FTP over SSL is used.

#4

So the server does not understand EPSV and the client falls back to PASV. Problem solved. Essentially these two do the same, except that PASV does not do IPv6.

#5

That’s true. The server doesn’t understand EPSV and IPv6. From what I know OpenSUSE 10.3’s /usr/bin/ftp uses IPv6; but I have turned off IPv6 on the system and disable epsv4 when I ftp to the server. But it’s still timing out.

Any other way to resolve this issue? Do I need to compile /usr/bin/ftp from source with IPv6 option disabled on the client?