For the longest time I've been trying to connect to my friend's FTP server (where my site is hosted) from my Mac, but I haven't been able to. I've been under the impression that it was a problem with his server, but I just discovered (I would have discovered this earlier had he not
assured me that my firewall could not have anyhting to do with outgoing FTP) that when I turn my firewall off, FTP works.
I Google'd my problem, and I found this:
ftp can give you trouble with a firewall if the FTP transfer is done in active mode instead of passive mode. An FTP connection is done on various ports > 49152. If the FTP server you are connectiong to is in active mode, the server will initiate the connection. With the firewall in place, this will be seen as an unauthorized incoming connection to your computer and will be rejected. On the other hand, if the FTP transfer mode is passive, your client will initiate the connection and since any outgoing connection is allowed, you will connect without a problem to the FTP server. Once the connection is established (i.e. the SYN bit of the TCP packet is set), connections are always allowed. Not every server supports it, but most do. Therefore, you might see (in your system.log) a server you know trying to connect from its port 21 to one of your ports >49152 until it times out. You must issue a passive command or configure your ftp software to do so (Interarchy , Fetch and Transmit all have an option for that: uncheck use passive; the command-line utility ftp usually defaults to active). I had some problems with Internet Explorer and I ended up changing the ftp helper application to Fetch. If you are not too paranoid, you can always just flush the firewall rules for the time of your download with the command ipfw flush. Any time you have a problem with your connection, go take a look at your system logs. If the connection is legitimate, modify the firewall rules to allow it.
This makes perfect sense, but it doesn't explain why I never had this issue with Windows. Perhaps it was because I was behind my own personal router (Berkeley has an enclosed network, but it's not like a personal router). Does that make any sense?
Anyway, I tried using passive on my friend's server, and this produced the following error:
ftp> passive
Passive mode: on; fallback to active mode: on.
ftp> ls
500 'EPSV': command not understood.
227 Entering Passive Mode (192,168,1,5,89,126)
200 PORT command successful.
421 Service not available, remote server timed out. Connection closed
For a while, I tried alternate methods, and then decided to try using passive on the Debian.org server (it hadn't worked, before...while I thought it was just my friend's server being stupid, my firewall had actually been blocking all FTP...his was just the only FTP I tried). While passive gave me an error on my friend's server, it worked on the Debian.org server!
I can try to get him to upgrade his server, but this is not worth it for many reasons. First of all, I'll probably be switching to a paid provider sometime soon. While on the subject, will I be able to access this with passive mode (something like
MySiteSpace.com is what I'd be buying). Second of all, SFTP and SCP work, but I want to use FTP with a program called
ImageWell, and I don't know how I would tell it to use passive mode (there's no option).
How do other people deal with this issue? It's quite frustrating. Why didn't I have this problem on my PC? Weird...
Anyway, advice would be greatly appreciated.
Top
