SUSE 11 ftp not consistent (too complicated?)

Normal good ftp using a Windows client and a Solaris server:
Client: ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list
Works fine!

Windows client - SUSE server pure-ftpd (firewall active/pure-ftpd allowed)
Client: ls
200 PORT command successful.
150 Connecting to port 500
Works fine!

SUSE client - Solaris server
Client: ls
500 ‘EPSV’ command not understood
227 Entering Passive Mode (131,176,60,249,71,180)
150 Opening ASCII mode data connection for /bin/ls
Works but why does SUSE client send command ‘EPSV’ that is not needed and is not understood by Solaris (and other!) servers.

SUSE client - SUSE server pure-ftpd (firewall active/pure-ftpd allowed)
Client: ls
229 Extended Passive mode OK (|||64553)
It hangs! It seems that command ‘EPSV’ (replacing the good command ‘PORT’!) is accepted but that the transfer hangs because of the firewall

SUSE client - SUSE server pure-ftpd (firewall switched off)
Client: ls
229 Extended Passive mode OK (|||42937)
Accepted data connection
It works!

Conclusions:

Very unfortunate that the SUSE client sends the non-standard command ‘EPSV’ that is unnecessary and tends not to be understood

The firewall settings made by Yast (default setting + allowance for pure-ftpd) are no good for the command ‘EPSV’ that SUSE clients (unfortunately) uses!

EPSV is not a replacement for PORT. It’s a different mode of transferring, to oversimplify. If the server is too old to understand it, the client doesn’t go into passive mode, so no harm done.

In the last two cases, if the server is configured to accept passive mode, then the firewall must be configured to allow passive mode. (Generally this involves loading a ftp helper module into iptables.) If not, then don’t enable passive mode on the server. But remember that passive mode is there to solve a problem and that is to help clients that cannot open arbitrary ports at their firewall on-the-fly.

Here’s an explanation of port (active) and passive modes:

http://slacksite.com/other/ftp.html

You don’t know what you’re talking about, to put it in a nutshell.

The difference between active and passive ftp is then only if it is the server or the clients that contacts a new port > 1024 on the other, i.e. it is an absolutely symmetric problem!

In fact, with the SUSE Firewall in its nominal configuration on both client and server no ftp is possible, it does not help to have “pure-ftpd allowed” in the Firewall of the server!

If the firewall is switched-off on the client and switched-on on the server only “active ftp” is possible

If the firewall is switched-on on the client and switched-off on the server only “passive ftp” is possible.

The most reasonable approach for an ftp exchange between two SUSE computers would then be to first switch-off the Firewall on the client and to then issue the ftp command “passive off”.

The SUSE ftp system is also too keen to follow the latest trends/mode using commands “EPRT”, ‘EPSV’, where E stands for “extended”. The command “PORT” (active ftp) is better understood then “EPRT”. My example 3) above:

500 'EPSV' command not understood

And “ftp passive mode” seems a questionable concept! For my Windows XP ftp system there is no command “PASSIVE”, apparently with good reasons! And the Windows Firewall does not stop active ftp!

But it has tremendous implication for clients who are behind firewalls, what’s more NAT firewalls, and who cannot open ports for the server to reach. So generally ftp servers on the Net offer PASV connections. If you are on a LAN it may not matter to you. But it’s dangerous to generalise your experience to situations you don’t know about.

In fact, with the SUSE Firewall in its nominal configuration on both client and server no ftp is possible, it does not help to have “pure-ftpd allowed” in the Firewall of the server!

I cannot comment on the “nominal configuration” as created by YaST as I seldom install ftp, but the solution is simple, load the iptables module nf_conntrack_ftp, which will detect the ports opened by the server for the data connection by looking into the command stream, and open those ports on the firewall.

The most reasonable approach for an ftp exchange between two SUSE computers would then be to first switch-off the Firewall on the client and to then issue the ftp command “passive off”.

Sorry, the firewall developers were smarter than you. Use nf_conntrack_ftp.

The SUSE ftp system is also too keen to follow the latest trends/mode using commands “EPRT”, ‘EPSV’, where E stands for “extended”. The command “PORT” (active ftp) is better understood then “EPRT”.

It’s not a matter of being trendy. If the client can negotiate a better configuration with a modern server, it’s perfectly reasonable to take advantage of it. The system is designed to fallback to interoperate with older servers that don’t understand those commands. All this is well-specified in the relevant RFCs.

My example 3) above:

500 'EPSV' command not understood

And “ftp passive mode” seems a questionable concept!

It simply means you don’t understand why passive mode exists.

For my Windows XP ftp system there is no command “PASSIVE”, apparently with good reasons! And the Windows Firewall does not stop active ftp!

The command is PASV. And the Windows firewall probably has the same smarts as nf_conntrack_ftp.

I think Chrysantine was smarter than I was. She gave you the short answer and I’m wasting my time explaining when you have your misconceptions to overcome.

Just putting together the useful information we have compiled:

Normal good ftp using a Windows client and a Solaris server:
Client: ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list
Works fine!

**The Windows XP system and its Firewall handles active ftp without problems
**
3)
SUSE client - Solaris server
Client: ls
500 ‘EPSV’ command not understood
227 Entering Passive Mode (131,176,60,249,71,180)
150 Opening ASCII mode data connection for /bin/ls

The Solaris server handles passive ftp without problems. And the fall-back for the unknown ‘EPSV’ is the right one, passive mode.

SUSE client - SUSE server pure-ftpd (firewall active/pure-ftpd allowed)
Client: ls
229 Extended Passive mode OK (|||64553)

It hangs! As opposed to the Solaris server the SUSE Firewall is not supporting passive mode!

And “passive off” is no good either, as opposed to the Windows XP client the SUSE client (with active Firewall) does not support active ftp.