[diamondsw]

Hello, everyone. Well, my previous sagas of tunnelling FTP through SSH were mostly successful. However, I'm having intermittent problems with opening a new passive connection.

<background>

Quick recap:
I wanted to tunnel FTP rather than use SFTP because:

1) It's included and relatively easy to replace with another FTP server if needed
2) Free SSH and FTP clients are plentiful on every platform - SFTP clients generally are not

So, what I did was the following:

1) Configure my firewall to only open port 22 and forward it to my Mac.
2) Create an ftpd.conf file with the line "portrange all 20000 20010" to limit the passive ports to that range
3) Configure my SSH client (putty.exe on Windows, if it matters) to forward the following ports from client-side localhost to server-side localhost: 20, 21, 20000, 20001, 20002, 20003, 20004, 20005, 20006, 20007, 20008, 20009, 20010
4) Use my FTP client (AbsoluteFTP on Windows, if it matters) to connect to localhost in passive mode, which is forwarded as above to my Mac.

</background>

What is happening is this: Everything works fine, but if I download a series of files in a row, about the third or fourth file will either die outright with a bad PORT command, or hang forever, never quite working. I've heard this can be caused by a bad IP or port being specified, but I'm not clear on whether this is a configuration error on my part, a bug in the server, or a bug in the client. Here's a snippet of the log:

> Transfer(00A60928): TYPE A
< Transfer(00A60928): 200 Type set to A.
> Transfer(00A60928): PASV
< Transfer(00A60928): 227 Entering Passive Mode (127,0,0,1,82,11)
i Transfer(00A60928): Data connection 4CDA38 connected.
> Transfer(00A60928): LIST -a 03.jpg
< Transfer(00A60928): 150 Opening ASCII mode data connection for '/bin/ls'.
i Transfer(00A60928): Data connection 4CDA38 closed normally.
< Transfer(00A60928): 226 Transfer complete.
> Transfer(00A60928): TYPE I
< Transfer(00A60928): 200 Type set to I.
> Transfer(00A60928): SIZE 03.jpg
< Transfer(00A60928): 213 79606
i Transfer(00A60928): Opening file '03.jpg' for download as '03.jpg'.
> Transfer(00A60928): PASV
< Transfer(00A60928): 425 Can't open passive connection: Resource temporarily unavailable.
> Transfer(00A60928): PORT 9,73,20,87,14,6
< Transfer(00A60928): 500 Illegal PORT command rejected

Is the FTP server just not freeing up ports properly and running out? It almost looks like each time it grabs a file, it's listing the directory then downloading it. Coupled with the listings I had to do to get to the directory in the first place, that would be about ten ports by the time it gets there.

Any idea where to go from here?

[diamondsw]

Well, thanks for looking, anyway - seems most people are stumped.

A bit more information - its definitely linked to the forwarded ports. It looks like something in the chain isn't releasing the ports to be used again. If I add ten ports, then I can get 5 files farther (one port gets used by the file transfer, one by the listing).

If only my SSH tunnel would just let me open up a huge range of ports to forward (like 1000) then I'd kludge it and wouldn't care.

In the meantime, I'm trying to get PureFTPd running, and it compiles and runs, but on the first attempt at a directory listing it gives the dreaded 425 error in response to the PASV command. And yes, I've restricted its port range. Works fine in local tests.

[entrox]

I would test another FTP client first - That's a whole lot easier than configuring a server and you'll have ruled out that point of failure.

It could be possible that the client opens a new connection for every command (2 simultaneous should be default) and doesn't close them properly, thus locking itself out of the server. Perhaps there is a setting for a maximum simultaneous and persistent connections? In that case, I would try to set the former to 2 and the latter to 1.

But other than that, I can't help you unfortunately.

[diamondsw]

Well, I went and grabbed another FTP client to test with, and the problem still occurs. So it's definitely something in the SSH tunnel or the FTP server. Now if only I could get PureFTPd to work, I could find the culprit.

If anyone knows anything, PureFTPd lets me connect, but *any* attempt to LS or transfer results in the host "actively refusing the connection". I'd guess something isn't set up properly for passive support, but there aren't that many options to set. The port range is limited, and the client is requesting a passive connection.

[entrox]

Again, I can only offer you an educated guess.

Some servers (like wuftpd) have the requirement that the data and connection IPs match (which may not be the case when tunneling). This must be disabled on those. Maybe there is a similar option in pureftpd?

[diamondsw]

Originally posted by entrox:
Again, I can only offer you an educated guess.

Some servers (like wuftpd) have the requirement that the data and connection IPs match (which may not be the case when tunneling). This must be disabled on those. Maybe there is a similar option in pureftpd?

Or it could be that I'm just a moron.

I set the SSH tunnel to forward ports 21000-21010, but set the PureFTPd to use 20000-20010. Whoops. I changed that, and lo and behold, it works perfectly!

I'd still like to know why lukemftpd doesn't free up its ports properly (now that it's narrowed down). I have the proper port range set up (I checked), and I've verified that increasing the range just delays the problem. I'll stick to PureFTPd in the meantime, but I like to stick to the generic built-in stuff as much as possible.