Cyberduck Mountain Duck CLI

#2566 closed defect (worksforme)

Illegal PORT command

Reported by: anonymous Owned by: dkocher
Priority: normal Milestone: 3.2
Component: ftp-tls Version: 3.0.2
Severity: normal Keywords:
Cc: Architecture: PPC
Platform: Mac OS X 10.5

Description (last modified by dkocher)

I'm using Cyberduck to connect to a Freecom FSG-3 via FTP-SSL with TLS. The login works, but then there is an illegal port command. Cyberduck sends the IP-address from the private network my laptop is logged in. Here is the log file:

220 vsFTPd 2.0.5+ (ext.2) patched by Freecom - ready...
AUTH TLS
234 Proceed with negotiation.
PBSZ 0
200 PBSZ set to 0.
PROT P
200 PROT now Private.
USER *******
331 Please specify the password.
PASS ********
230 Login successful.
PWD
257 "/home"
NOOP
200 NOOP ok.
SYST
215 UNIX Type: L8
STAT /home/Medienserver
213-Status follows:
213 End of status
CWD /home/Medienserver
250 Directory successfully changed.
FEAT
211-Features:
 AUTH SSL
 AUTH TLS
 EPRT
 EPSV
 MDTM
 PASV
 UTF8
 PBSZ
 PROT
 REST STREAM
 SIZE
 TVFS
211 End
PASV
227 Entering Passive Mode (88,75,117,112,199,135)
PORT 192,168,0,239,229,141
500 Illegal PORT command.
PASV
227 Entering Passive Mode (88,75,117,112,228,19)
PORT 192,168,0,239,229,143
500 Illegal PORT command.

I'm pretty sure that this was working with an older version.

Change History (9)

comment:1 Changed on Mar 19, 2009 at 11:02:01 AM by dkocher

  • Milestone 3.2 deleted
  • Summary changed from FTP-SSL failure to Illegal PORT command

comment:2 Changed on Mar 19, 2009 at 11:02:38 AM by dkocher

  • Description modified (diff)

comment:3 Changed on Mar 19, 2009 at 11:03:01 AM by dkocher

Do you still have the issue with version 3.1?

comment:4 Changed on Apr 22, 2009 at 10:12:27 AM by dkocher

  • Milestone set to 3.2
  • Resolution set to fixed
  • Status changed from new to closed

comment:5 Changed on May 18, 2009 at 7:01:45 PM by raven

I am still experiencing the same problem with version 3.2 (4648). Cyberduck sends a PORT command with the wrong local (behind a NAT router) ip adress when using SSL/TLS. Using unencrypted connections works fine, though.

This is the log file:

NOOP
200 NOOP command successful
TYPE I
200 Type set to I
PASV
227 Entering Passive Mode (78,47,115,23,172,113).
PORT 192,168,178,22,197,54
500 Illegal PORT command

comment:6 Changed on May 18, 2009 at 7:46:21 PM by raven

The problems from my last comment seem to be at least partly related to a broken firewall config on my server. Or rather: FTPS being a completely borked protocol, from a security standpoint (Passive FTP + TLS and stateful firewalling based on conntrack_ftp don't really mix, you have to manually open a range of ports for that in the firewall).

But still: Why is/was Cyberduck sending my local (NATted) IP to the server?

-David

comment:7 Changed on Jun 8, 2010 at 9:01:08 PM by adam@…

  • Resolution fixed deleted
  • Status changed from closed to reopened

This bug is still present in version 3.4.2 (5902). Passive mode is completely broken:

NOOP
200 Zzz...
TYPE I
200 TYPE is now 8-bit binary
PASV
227 Entering Passive Mode (174,132,19,132,241,78)
PORT 192,168,1,5,218,92
500 I won't open a connection to 192.168.1.5 (only to xxx.xxx.xxx.xxx)

(My IP address removed.)

comment:8 Changed on Jun 8, 2010 at 9:22:03 PM by adam@…

Actually, I may have been mistaken. It looks like the passive connection failed and I'm guessing Cyberduck fell back to trying active instead. (Though if that's the case, then it would be a good idea for Cyberduck to tell the user that that's what happened.)

comment:9 Changed on Jul 22, 2010 at 4:27:47 PM by dkocher

  • Architecture set to PPC
  • Platform set to Mac OS X 10.5
  • Resolution set to worksforme
  • Status changed from reopened to closed
Note: See TracTickets for help on using tickets.
swiss made software