cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: Trouble transversing two firewalls w/ passive ftp

From: Nick Harley <nickharley_at_bcbsal.org>
Date: Thu, 26 Jan 2006 08:58:41 -0600

"Your original message didn't give a log of a transaction using passive
mode.
If you post that, along with the command-line you're using, we might
have
some more clues as to what might be going wrong."

Here's the output of a non-ported command:

[root_at_TESTMANDRAKE b12837]# /usr/local/bin/curl -K
/usr/local/cfg/vitalce.curl.cfg
* About to connect() to ftp.server.com port 10021
* Trying 209.x.x.x... connected
* Connected to ftp.server.com (209.x.x.x) port 10021
< 220 <<<Connect:Enterprise UNIX 2.2.00 Secure FTP>>> at octapp9 FTP
server ready. Time = 08:44:51
> AUTH SSL
< 234 AUTH TLS-P/SSL OK.
* successfully set certificate verify locations:
* CAfile: /usr/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSLv2, Client hello (1):
SSLv3, TLS handshake, Server hello (2):
SSLv3, TLS handshake, CERT (11):
SSLv3, TLS handshake, Server finished (14):
SSLv3, TLS handshake, Client key exchange (16):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSLv3, TLS change cipher, Client hello (1):
SSLv3, TLS handshake, Finished (20):
SSL connection using DES-CBC3-SHA
* Server certificate:
* subject: /C=US/ST=Arizona/L=Tempe/O=ftp location/OU=File
Transfer/OU=Terms of use at www.verisign.com/rpa
(c)00/CN=ftp.server.com
* start date: 2005-07-13 00:00:00 GMT
* expire date: 2006-07-13 23:59:59 GMT
* common name: ftp.server.com (matched)
* issuer: /O=VeriSign Trust Network/OU=VeriSign,
Inc./OU=VeriSign International Server CA - Class
3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign
* SSL certificate verify result: error number 1 (20), continuing
anyway.
> USER username
< 331 Password required for username.
> PASS password
< 230 Connect:Enterprise UNIX login ok, access restrictions apply.
> PBSZ 0
< 200 PBSZ 0 OK.
> PROT P
< 200 PROT P OK, data channel will be secured.
> PWD
< 257 "/4717000B" is current directory.
* Entry path is '/4717000B'
> PASV
* Connect data stream passively
< 227 Entering Passive Mode (192,168,1,171,41,5)
* Trying 192.168.1.171... Timeout
* couldn't connect to host
* Remembering we are in dir 471700542043000000111020050303.bsi
* Uploaded unaligned file size (0 out of 10 bytes)
  % Total % Received % Xferd Average Speed Time Time Time
Current
                                 Dload Upload Total Spent Left
Speed
  0 0 0 0 0 0 0 0 --:--:-- 0:00:59
--:--:-- 0* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

curl: (7) couldn't connect to host

The 192.168 address is their internal address on their network. If I
pass the PORT command in I can get curl to send to my external address
but can't open the data connection. Without it, I get a can't connect to
host error. Any ideas?

>>> dan_at_coneharvesters.com 1/18/2006 12:30:09 pm >>>
On Wed, Jan 18, 2006 at 09:33:35AM -0600, Nick Harley wrote:
> The people I'm working with are saying that unless I put my client
into
> passive mode, the transfer will never work. If I use the passive
switch
> instead of the the ftp-port switch, then when the other side of the
> connection tries to set up the data transfer, it gets the internal
> address of my machine, which is a publicly unroutable network, and
> fails.

You have this backwards: passive mode means that the client initiates
the
data connection outward to the server machine. What you describe:
"the
other side of the connection tries to set up the data transfer"
is PORT mode.

> If I use the port command, I can put my external address in as
> the port and it sends it correctly to the other server. I've tried

But you claim the people you're working with way that the transfer
"will
never work" this way. Presumably, they're saying this based on
knowledge
of how their servers and firewalls are set up.

> adding port information in addition to the IP address but it only
> recognizes and send the IP information.

Your original message didn't give a log of a transaction using passive
mode.
If you post that, along with the command-line you're using, we might
have
some more clues as to what might be going wrong.

>>> Dan

-- 
http://www.MoveAnnouncer.com              The web change of address
service
          Let webmasters know that your web site has moved
*** *** *** *** *** *** *** *** *** ***
  CONFIDENTIALITY NOTICE  
This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law.  You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited.  If you receive this e-mail in error, please notify me immediately by replying to this e-mail.
*** *** *** *** *** *** *** *** *** ***
Received on 2006-01-26