Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Illegal PORT command #2566

Closed
cyberduck opened this issue Sep 9, 2008 · 5 comments
Closed

Illegal PORT command #2566

cyberduck opened this issue Sep 9, 2008 · 5 comments
Assignees
@dkocher
Labels
bug ftp-tls FTP (TLS) Protocol Implementation worksforme
Milestone
3.2

Comments

@cyberduck
Copy link
Collaborator

anonymous created the issue

I'm using Cyberduck to connect to a Freecom FSG-3 via FTP-SSL with TLS. The login works, but then there is an illegal port command. Cyberduck sends the IP-address from the private network my laptop is logged in. Here is the log file:

220 vsFTPd 2.0.5+ (ext.2) patched by Freecom - ready...
AUTH TLS
234 Proceed with negotiation.
PBSZ 0
200 PBSZ set to 0.
PROT P
200 PROT now Private.
USER *******
331 Please specify the password.
PASS ********
230 Login successful.
PWD
257 "/home"
NOOP
200 NOOP ok.
SYST
215 UNIX Type: L8
STAT /home/Medienserver
213-Status follows:
213 End of status
CWD /home/Medienserver
250 Directory successfully changed.
FEAT
211-Features:
 AUTH SSL
 AUTH TLS
 EPRT
 EPSV
 MDTM
 PASV
 UTF8
 PBSZ
 PROT
 REST STREAM
 SIZE
 TVFS
211 End
PASV
227 Entering Passive Mode (88,75,117,112,199,135)
PORT 192,168,0,239,229,141
500 Illegal PORT command.
PASV
227 Entering Passive Mode (88,75,117,112,228,19)
PORT 192,168,0,239,229,143
500 Illegal PORT command.

I'm pretty sure that this was working with an older version.
@cyberduck
Copy link
Collaborator Author

@dkocher commented

Do you still have the issue with version 3.1?

@cyberduck
Copy link
Collaborator Author

c217e16 commented

I am still experiencing the same problem with version 3.2 (4648). Cyberduck sends a PORT command with the wrong local (behind a NAT router) ip adress when using SSL/TLS. Using unencrypted connections works fine, though.

This is the log file:

NOOP
200 NOOP command successful
TYPE I
200 Type set to I
PASV
227 Entering Passive Mode (78,47,115,23,172,113).
PORT 192,168,178,22,197,54
500 Illegal PORT command

@cyberduck
Copy link
Collaborator Author

c217e16 commented

The problems from my last comment seem to be at least partly related to a broken firewall config on my server. Or rather: FTPS being a completely borked protocol, from a security standpoint (Passive FTP + TLS and stateful firewalling based on conntrack_ftp don't really mix, you have to manually open a range of ports for that in the firewall).

But still: Why is/was Cyberduck sending my local (NATted) IP to the server?

-David

@cyberduck
Copy link
Collaborator Author

5b75143 commented

This bug is still present in version 3.4.2 (5902). Passive mode is completely broken:

NOOP
200 Zzz...
TYPE I
200 TYPE is now 8-bit binary
PASV
227 Entering Passive Mode (174,132,19,132,241,78)
PORT 192,168,1,5,218,92
500 I won't open a connection to 192.168.1.5 (only to xxx.xxx.xxx.xxx)

(My IP address removed.)

@cyberduck
Copy link
Collaborator Author

5b75143 commented

Actually, I may have been mistaken. It looks like the passive connection failed and I'm guessing Cyberduck fell back to trying active instead. (Though if that's the case, then it would be a good idea for Cyberduck to tell the user that that's what happened.)

@iterate-ch iterate-ch locked as resolved and limited conversation to collaborators Nov 26, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dkocher dkocher

Labels
bug ftp-tls FTP (TLS) Protocol Implementation worksforme
Projects
None yet
Milestone
3.2
Development

No branches or pull requests
2 participants
@dkocher @cyberduck