Your best friend for file transfer.

Fetch application logoFetch

Firewall Help (14 posts)

  • Started 6 years ago by Robster
  • Latest reply 6 years ago from Scott McGuire
  • Robster Member

    Hi

    My company ftp server is giving me a nightmare.

    After MUCH trying I have FINALLY been able to connect to it and get a file list but ONLY by turning off my Apple Firewall.

    I really do not want to run with my firewall turned off, it sounds like a recipe for disaster.

    I will ONLY be making outgoing connections, not running an ftp server on my Mac.

    Can anyone help me with how to modify my Firewall to allow ftp use without leaving my self permanently exposed?

    Cheers.

    Robin

    Posted 6 years ago #

  • Scott McGuire Administrator

    Hi Robin,

    If you could provide us with some additional information, we may be able to suggest alternatives to turning your firewall off.

    Could you please do the following?

    * Turn your Mac's firewall back on.
    * Open Fetch.
    * Cancel the New Connection dialog.
    * Choose Preferences from the Fetch menu.
    * Click the General tab (if you're using Fetch 5) or click the Firewall tab (if you're using Fetch 4).
    * Make sure the "Use passive mode transfers (PASV)" checkbox is checked.
    * Click OK (in Fetch 4) or close the Preferences window (Fetch 5).
    * Try connecting to your company's FTP server.

    If you connect successfully, great.

    If you do not connect successfully, choose Fetch Transcript from the Window menu, copy the entire contents of the transcript window, and paste them into a reply to this message.

    We'll take a look and see what your options are.

    Thanks,

    Scott McGuire
    Fetch Softworks

    Posted 6 years ago #

  • Robster Member

    Hi

    I have opened port 21 in my Firewall and made sure PASV is checked.

    Fetch works MUCH better but still I eventually get to a folder that won't display its contents, this may be 3, 4 or 5 levels down.

    With Firewall off I have never not been able to doplay the contents of a folder.

    Transcript follows:-

    Fetch 5.2.1 (5C263) Intel running on Mac OS X 10.4.9 (8P2137) Intel English
    StuffIt Engine 0x820, StuffIt SDK Version 10.1.1b1
    Partial serial FETCH5X001-H835-YZDZ T
    Connecting to ftp.netuitive.com port 21 (Mac OS X firewall is on) (31/5/07 08:03:14)
    Connected to 208.156.104.247 port 21 (31/5/07 08:03:14)
    220 london Microsoft FTP Service (Version 5.0).
    USER rjackson
    331 Password required for rjackson.
    PASS
    230-*************************

    230-* *

    230-* Netuitive, Inc. *

    230-* This is a secure site *

    230-* *

    230-* Unauthorized access *

    230-* is prohibited. *

    230-* *

    230-*************************
    230 User rjackson logged in.
    SYST
    215 Windows_NT version 5.0
    PWD
    257 "/" is current directory.
    MACB ENABLE
    500 'MACB ENABLE': command not understood
    PWD
    257 "/" is current directory.
    PWD
    257 "/" is current directory.
    Retrieved 4 items from file list cache, stored 30/05/2007 22:19
    CWD Private
    250 CWD command successful.
    PWD
    257 "/Private" is current directory.
    Retrieved 2 items from file list cache, stored 30/05/2007 22:19
    CWD Software
    250 CWD command successful.
    PWD
    257 "/Private/Software" is current directory.
    Retrieved 10 items from file list cache, stored 30/05/2007 22:20
    CWD Microsoft
    250 CWD command successful.
    PWD
    257 "/Private/Software/Microsoft" is current directory.
    Retrieved 7 items from file list cache, stored 30/05/2007 22:20
    CWD DST
    250 CWD command successful.
    PWD
    257 "/Private/Software/Microsoft/DST" is current directory.
    Retrieved 4 items from file list cache, stored 31/05/2007 08:01
    CWD win2000
    250 CWD command successful.
    PWD
    257 "/Private/Software/Microsoft/DST/win2000" is current directory.
    TYPE A
    200 Type set to A.
    PASV
    227 Entering Passive Mode (208,156,104,247,16,47).
    Making data connection to 208.156.104.247 port 4143
    ftp_setup_dataconn() passive mode dataconn failed, result = 1,61
    PORT 192,168,1,80,197,130
    200 PORT command successful.
    LIST -al
    150 Opening ASCII mode data connection for /bin/ls.
    Active mode connection blocked by Mac OS X firewall, port 50562
    ABOR
    425 Can't open data connection.
    225 ABOR command successful.
    ftp_list: 1,61 (state == GETTING_LIST)

    Posted 6 years ago #

  • Scott McGuire Administrator

    Hi Robin,

    There are two methods for connecting to FTP servers, active mode and passive mode. Fetch tries both when trying to connect to a server. Active mode is not compatible with firewalls at all; so Fetch is trying to use passive mode for connecting to your server. Unfortunately, it looks like your server doesn't support passive mode connections.

    So, the reason Fetch works when your firewall is off is because it can use active mode successfully; but when the firewall is on, its only choice is to try passive mode and your server doesn't support it.

    Unfortunately, the way active mode FTP works means you cannot just open up a few ports in your firewall. FTP connections use two ports - one that Fetch talks to the server on (this is port 21), and one that the server talks to Fetch on. The number of the port that the FTP server uses to talk to Fetch is not fixed; it's chosen randomly from a very wide range of port numbers. So you'd have to disable a very wide range of ports on your firewall to make active mode FTP work.

    (For more information about active mode versus passive mode, see Active and passive FTP topic in Fetch Help, or click the link here.)

    What you should try first is to talk to the folks running your company's server and see if they can fix it so that it supports passive mode connections. Lack of support for passive mode connections is not a problem that affects just you and Fetch; anyone who is running a firewall on their personal computer (Mac or Windows) won't be able to make FTP connections to company server.

    Another thing you might want to look into is whether your server supports SFTP connections. SFTP works quite a bit differently from FTP and does not have the same problems with firewalls.

    If they will not make this change and SFTP isn't an option, let us know and we will try to advise you further.

    Thanks,

    Scott McGuire
    Fetch Softworks

    [This message has been edited by ScottMcGuire (edited 05-31-2007).]

    Posted 6 years ago #

  • Robster Member

    Hi

    I did try SFTP but that did not work.

    I have managed to connect fine tot his ftp site using command line ftp under Windows XP and this machine DID have a firewall enabled.

    Is there a reason why that would work and Fetch would not?

    Cheers.

    Robin

    PS I very much appreciate the help.

    Posted 6 years ago #

  • Scott McGuire Administrator

    Hi Robin,

    That was probably due to some difference in the way the firewall on the Windows XP machine was set up and the standard configuration of the firewall on Mac OS X. Perhaps the Windows XP machine had been configured to have a lot of open ports already.

    You could try the command line ftp client that's built into Mac OS X, and see what happens. To do this:

    * Open the Applications folder.
    * Open the Utilities folder.
    * Open the Terminal application.
    * At the prompt, type:

    ftp your-server-hostname

    * Replace "your-server-hostname" with the hostname (or IP address) for your server.
    * And then press the Return key.
    * Then the command-line ftp client will prompt you for "Name:"; type your username and press the Return key.
    * Then you will be prompted to enter your password; enter your password and press the Return key. (The letters you type won't appear on the screen, for privacy.)
    * At the "ftp>" prompt, type "debug" (no quotes), and press the Return key.
    * Then type "dir" (no quotes), and press the Return key.

    Then please copy the response, and paste it into a reply to this message.

    Thanks,

    Scott McGuire
    Fetch Softworks

    Posted 6 years ago #

  • Robster Member

    Hi

    Did not work properly under Mac.

    Here is the result:-

    230 User rjackson logged in.
    Remote system type is Windows_NT.
    ftp> debug
    Debugging on (debug=1).
    ftp> dir
    ---> EPSV
    500 'EPSV': command not understood
    disabling epsv4 for this connection
    ---> PASV
    227 Entering Passive Mode (208,156,104,247,18,217).
    ---> PORT 192,168,1,64,211,189
    200 PORT command successful.
    ---> LIST
    150 Opening ASCII mode data connection for /bin/ls.

    Posted 6 years ago #

  • Scott McGuire Administrator

    Hi Robin,

    Thanks, that confirms that the problems are not specific to Fetch; as I said, I believe they are caused by the server's lack of support for passive mode and the apparently more strict Mac OS X firewall.

    As I said, I'd ask your server administrator to investigate providing passive mode support; otherwise, you're going to have to open up a wide range of ports in the firewall, which is not very desirable.

    Thanks,

    Scott McGuire
    Fetch Softworks

    Posted 6 years ago #

  • Robster Member

    Hi

    Before I tackle my IT people can I ask a question?

    Why would someone NOT want Passive FTP enabled?

    Is there a security issue or some other issue I am unaware of that would steer a company to not implement passive ftp?

    Cheers.

    Robin

    Posted 6 years ago #

  • Scott McGuire Administrator

    Hi Robin,

    There could be two reasons you can't make passive mode connections to your server successfully: (1) the server software they're running doesn't support it, or (2) the server's firewall is blocking ports that passive support needs to be open.

    So in order to support passive mode connections, your company might have to upgrade their server software, or open additional ports in the server's firewall, or both. They may be reluctant to open ports in their firewall, just as you are - although would make more sense for the company to carefully configure their firewall to allow passive connections, instead of all the users opening up ports in theirs.

    You might ask them to consider supporting SFTP. That does not require opening additional ports in the firewall on either end (besides the single port necessary to support SFTP), and the connection is encrypted, protecting both your password and your data, so generally it's a better solution all around. But it would probably involve installing and configuring additional software on the server.

    Unfortunately, a lot of the time it's not so much security concerns that prevent folks from making these changes, as unwillingness to spend the time and effort to make changes to an existing setup. I'm not saying that necessarily the case with your company, though.

    I hope this helps. Thanks,

    Scott McGuire
    Fetch Softworks

    [This message has been edited by ScottMcGuire (edited 06-07-2007).]

    Posted 6 years ago #

  • Scott McGuire Administrator

    Hi Robin,

    Just to followup on an earlier point... we've done some research to try to find out why active mode FTP connections on Windows work when connecting from a Mac doesn't, if you're curious.

    It turns out that the Windows firewall does some clever snooping when you make FTP connections. It watches the FTP communications to see what port the server is going to try to talk to the FTP client on, and reroutes traffic from that port to a port already open in the firewall in order to allow the connection to succeed.

    Unfortunately, the Mac OS X firewall does not have such a feature, and it's not something Fetch is capable of doing by itself or telling the firewall to do. So this is one case where Windows is doing something better than the Mac...

    Best,

    Scott McGuire
    Fetch Softworks

    Posted 6 years ago #

  • Robster Member

    Hi Scott

    Thanks for being so diligent with your answers.

    Now all we need is a feature request to Apple telling them Windows can do something they cannot!!!!!!!!

    Cheers.

    Robin

    Posted 6 years ago #

  • Robster Member

    Hi

    Interestingly when I was speaking to my IT person yesterday and asked why passive ftp is not available he said it IS available it is the firewall that is causing the problem.

    Does this sound right?

    Cheers.

    Robin

    Posted 6 years ago #

  • Scott McGuire Administrator

    Hi Robin,

    A firewall on the server is a problem for passive mode if the administrators don't configure the firewall properly (that is, open the necessary ports) so that passive mode can work with it, yes.

    Thanks,

    Scott McGuire
    Fetch Softworks

    Posted 6 years ago #

Reply

  • Or nickname, if you prefer.
  • This will be kept confidential.
  • This is to ensure that you’re a person, not a spambot.