Your best friend for file transfer.

Fetch application logoFetch

Fetch acSSH tunnel (8 posts)

This is an archived topic. The information in it is likely to be out-of-date and no longer applicable to current versions of Fetch.
  • Started 10 years ago by guest
  • Latest reply 10 years ago from Jim Matthews
  • guest Registered Member

    I've tried both Fetch 3.03 and 4.03. Here's the problem.

    On a Windows box, I can get an ftp-over-ssh tunnel working flawlessly. The ftp server (PureFTPD running on Linux) is setup to only respond to requests from it's local IP (127.0.0.1) and the passive port range is 50000-50400. I set up a ssh tunnel using MacSSH and forward local port 4000 to port 21 on the ftp server. After logging in to and activating the mirror, fetch can connect to "localhost" just fine but it receives a "Connection Refused" when trying to get a directory listing. Turning on "Passive" and setting the port range in Fetch to 50000-50400 gives me another error "Server will not accept connections from XXX.XXX.XXX.XXX:50340. Will only accept from 127.0.0.1"

    It seems to me that either Fetch or MacSSH is not properly tunneling throught the tunnel. Somehow the FTP client sees the connection as coming from the clint IP as opposed to 127.0.0.1 and it refuses the connection.

    Anyone have any ideas on this?

    Jim

    Posted 10 years ago #

  • Jim Matthews Administrator

    Could you choose "Fetch Transcript" from the Window menu and post the contents after seeing that error? I'd like to see the information there.

    Thanks,

    Jim Matthews
    Fetch Softworks

    Posted 10 years ago #

  • guest Registered Member

    At the suggestion of someone on the PureFTPd mailing list, I tried turning on FXP transfers and it still didn't work. Here are the transcripts from 4 sessions. The first two are with FXP on and passive on and off. The second are with FXP off and passive on and off.

    Any help would be appreciated.

    -----FXP ON, Passive OFF-----
    Connecting to localhost port 21 (11/13/03 3:46:03 PM)
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 15:46. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. USER jserio 331 User jserio OK. Password required PASS
    230-User jserio has group access to: secwww www jserio
    230-This server supports FXP transfers
    230 OK. Current directory is /home/jserio
    SYST
    215 UNIX Type: L8
    PWD
    257 "/home/jserio" is your current location
    PWD
    257 "/home/jserio" is your current location
    PORT 129,219,92,229,195,110
    200-FXP transfer: from 127.0.0.1 to 129.219.92.229
    200 PORT command successful
    LIST
    425 Could not open data connection to port 50030: Invalid argument
    ftp_list: -30000
    NOOP
    200 Zzz...
    -----

    -----FXP ON, Passive ON-----
    Connecting to localhost port 21 (11/13/03 3:49:12 PM)
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 15:49. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. USER jserio 331 User jserio OK. Password required PASS
    230-User jserio has group access to: secwww www jserio
    230-This server supports FXP transfers
    230 OK. Current directory is /home/jserio
    SYST
    215 UNIX Type: L8
    PWD
    257 "/home/jserio" is your current location
    PWD
    257 "/home/jserio" is your current location
    PASV
    227 Entering Passive Mode (127,0,0,1,195,204)
    ftp_list: -3260
    -----

    -----FXP OFF, Passive ON-----
    Connecting to localhost port 21 (11/13/03 3:50:52 PM)
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 15:50. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. USER jserio 331 User jserio OK. Password required PASS
    230-User jserio has group access to: secwww www jserio
    230 OK. Current directory is /home/jserio
    SYST
    215 UNIX Type: L8
    PWD
    257 "/home/jserio" is your current location
    PWD
    257 "/home/jserio" is your current location
    PASV
    227 Entering Passive Mode (127,0,0,1,195,184)
    ftp_list: -3260
    -----

    -----FXP OFF, PASSIVE OFF-----
    Connecting to localhost port 21 (11/13/03 3:52:15 PM)
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 15:52. Server port: 21. 220-This is a private system - No anonymous login 220 You will be disconnected after 15 minutes of inactivity. USER jserio 331 User jserio OK. Password required PASS
    230-User jserio has group access to: secwww www jserio
    230 OK. Current directory is /home/jserio
    SYST
    215 UNIX Type: L8
    PWD
    257 "/home/jserio" is your current location
    PWD
    257 "/home/jserio" is your current location
    PORT 129,219,92,229,195,87
    500 I won't open a connection to 129.219.92.229 (only to 127.0.0.1)
    ftp_list: -30000
    -----

    Posted 10 years ago #

  • Jim Matthews Administrator

    You definitely want FXP on if you are using SSH tunneling. I would think you'd want PASV on as well, but this exchange from the FXP on, PASV on transcript is puzzling:

    PASV
    227 Entering Passive Mode (127,0,0,1,195,204)

    The server is saying "Connect to me at 127.0.0.1, port 50709". But 127.0.0.1 is the loopback address -- that's telling your Mac to connect back to itself, which doesn't make any sense. The server should be giving its own address. When Fetch follows that instruction it gets a connection refused error (-3260).

    In the FXP on, PASV off case we see:

    PORT 129,219,92,229,195,110
    200-FXP transfer: from 127.0.0.1 to 129.219.92.229
    200 PORT command successful
    LIST
    425 Could not open data connection to port 50030: Invalid argument

    Fetch tells the server to connect to 129.219.92.229, port 50030, but the server says it can't; I'm not sure why.

    What hostname or IP address do you make your SSH tunnel to? Is 129.219.92.229 the correct address for your Mac?

    You mention that a Windows FTP client can use this tunnel; do you have a transcript of its commands? Do you know whether it's using PASV?

    Thanks,

    Jim Matthews
    Fetch Softworks

    Posted 10 years ago #

  • guest Registered Member

    Here's the log from WS_FTP. Note that WS_FTP works fine with or without FXP turned on at the server:

    -----FXP OFF-----
    WINSOCK.DLL: WinSock 2.0
    WS_FTP LE 5.08 2000.01.13, Copyright © 1992-2000 Ipswitch, Inc.
    - -
    connecting to 127.0.0.1:4000
    Connected to 127.0.0.1 port 4000
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    220-You are user number 1 of 50 allowed.
    220-Local time is now 09:59. Server port: 21.
    220-This is a private system - No anonymous login
    220 You will be disconnected after 15 minutes of inactivity.
    USER jserio
    331 User jserio OK. Password required
    PASS (hidden)
    230-User jserio has group access to: secwww www jserio
    230 OK. Current directory is /home/jserio
    PWD
    257 "/home/jserio" is your current location
    SYST
    215 UNIX Type: L8
    Host type (S): UNIX (standard)
    PASV
    227 Entering Passive Mode (127,0,0,1,195,82)
    connecting to 127.0.0.1:50002
    - -
    connecting to 127.0.0.1:50002
    Connected to 127.0.0.1 port 50002
    LIST
    150 Accepted data connection
    Received 980 bytes in 0.1 secs, (75.00 Kbps), transfer succeeded
    226-Options: -a -l
    226 15 matches total
    -----

    -----FXP ON-----
    WINSOCK.DLL: WinSock 2.0
    WS_FTP LE 5.08 2000.01.13, Copyright © 1992-2000 Ipswitch, Inc.
    - -
    connecting to 127.0.0.1:4000
    Connected to 127.0.0.1 port 4000
    220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
    220-You are user number 1 of 50 allowed.
    220-Local time is now 10:04. Server port: 21.
    220-This is a private system - No anonymous login
    220 You will be disconnected after 15 minutes of inactivity.
    USER jserio
    331 User jserio OK. Password required
    PASS (hidden)
    230-User jserio has group access to: secwww www jserio
    230-This server supports FXP transfers
    230 OK. Current directory is /home/jserio
    PWD
    257 "/home/jserio" is your current location
    SYST
    215 UNIX Type: L8
    Host type (S): UNIX (standard)
    PASV
    227 Entering Passive Mode (127,0,0,1,196,82)
    connecting to 127.0.0.1:50258
    - -
    connecting to 127.0.0.1:50258
    Connected to 127.0.0.1 port 50258
    LIST
    150 Accepted data connection
    Received 980 bytes in 0.2 secs, (47.37 Kbps), transfer succeeded
    226-Options: -a -l
    226 15 matches total
    -----

    <i>The server is saying "Connect to me at 127.0.0.1, port 50709". But 127.0.0.1 is the loopback address -- that's telling your Mac to connect back to itself, which doesn't make any sense.</i>

    I see what you mean here, but ssh is tunneling all requests on 127.0.0.1 to the server, but only on port 21. Maybe this is the issue? Looking at the transcripts above for WS_FTP, you can see it happily connects fine to 127.0.0.1:50XXX just fine. The only difference I see betwene the Mac and Win is that the SSH client on windows has an option in the tunnel for "ftp". Maybe it properly handles the additional ports?

    Posted 10 years ago #

  • Jim Matthews Administrator

    Yes, I think the Windows SSH program is providing an additional tunnel for the data connection. MacSSH does not do that. I'm still not sure why the server gives you the loopback address in the response to the PASV command. It's as if it knows about or expects the second tunnel, and that's puzzling. Do you know the name of the Windows SSH program?

    Thanks,

    Jim Matthews
    Fetch Softworks

    Posted 10 years ago #

  • guest Registered Member

    The Widnows program is SSH 3.3.2 (ssh.com). So am I pretty much out of luck then?

    Posted 10 years ago #

  • Jim Matthews Administrator

    Yes, as far as I can tell you're out of luck. We are working on integrating SSH support into Fetch, but that work is not ready for release.

    Thanks,

    Jim Matthews
    Fetch Softworks

    Posted 10 years ago #

Topic closed

This topic has been closed.