NAT: Ftp fails, wget ftp is fine?

Discussion in 'Apple' started by Evan Platt, Dec 14, 2006.

  1. Evan Platt

    Evan Platt Guest

    Running 10.4 OS/X behind nat on comcast DSL..

    Unable to FTP.

    Basically the connection dies.

    wget ftp is fine:

    # wget
    => `biggerfile'
    Resolving XXX.XXX.XXX.XXX
    Connecting to|XXX.XXX.XXX.XXX|:21... connected.
    Logging in as anonymous ... Logged in!
    ==> SYST ... done. ==> PWD ... done.
    ==> TYPE I ... done. ==> CWD not needed.
    ==> PASV ... done. ==> RETR biggerfile ... done.
    Length: 24,985,965 (24M) (unauthoritative)

    24,985,965 1.50M/s ETA 00:00

    23:36:22 (1.46 MB/s) - `biggerfile' saved [24985965]

    But ftp fails:

    Connected to
    220- This is the anonymous FTP server at, Inc., in
    220- Sunnyvale CA USA.
    220- Problems with the archive may be reported by telephone to +1
    220- XXX-XXXX, or by e-mail to .
    220 FTP server (BSDI Version 7.00LS) ready.
    Name ( anonymous
    331 Guest login ok, send your email address as password.
    230- Welcome to's anonymous FTP server.
    230- This archive contains the tools, installation materials, and
    230- information that we like to make available to our customers and
    to the
    230- Internet community as a whole. We give a home to a good selection
    230- shareware and freeware programs for many platforms. Have a look,
    230- your stay.
    230- Archivist
    230 Guest login ok, access restrictions apply.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> passive
    Passive mode: off; fallback to active mode: off.
    ftp> get biggerfile
    local: biggerfile remote: biggerfile
    501 Address invalid for your control connection
    200 PORT command successful.

    421 Service not available, remote server timed out. Connection closed

    Any idea what I'm missing?


    Evan Platt, Dec 14, 2006
    1. Advertisements

  2. Evan Platt

    matt neuburg Guest


    sysctl -w net.inet.tcp.keepidle=4800

    matt neuburg, Dec 14, 2006
    1. Advertisements

  3. Evan Platt

    David Sankey Guest

    See above.

    My recollection is that most clients default to passive mode and you've
    just turned it off...

    Kind regards,

    David Sankey, Dec 14, 2006
  4. Evan Platt

    Evan Platt Guest

    That says
    net.inet.tcp.keepidle: 144000 -> 4800

    tried that, still no joy:

    ftp> get biggerfile
    local: biggerfile remote: biggerfile
    421 Service not available, remote server has closed connection.


    Evan Platt, Dec 14, 2006
  5. Evan Platt

    Evan Platt Guest

    Did try with the change and without setting passive, no 501 this time,
    but it still fails:

    ftp> get biggerfile
    local: biggerfile remote: biggerfile
    421 Service not available, remote server has closed connection.


    Evan Platt, Dec 14, 2006
  6. Evan Platt

    Ian Gregory Guest

    Getting FTP though firewalls can be problematic with both active
    and passive. In either case, establishing a control connection
    is not enough - to move any data FTP has to establish a separate
    data connection with different port numbers. If possible you should
    try to do all file transfer using rsync over an ssh connection
    but if that is not an option then this explanation may help:

    Ian Gregory, Dec 14, 2006
  7. Evan Platt

    Matt Guest

    FTP and home network routers don't go together perfect, basically.

    You probably need a different modem/router that has the intelligence of
    correctly passing the FTP protocol. "El-cheapo" routers mostly won't do
    these things. So keep away from brands like "Sweex" or "SiteCom".

    You'll find good routers from more respectable brands like LinkSys and Draytek.
    I can't tell which specific model of each brand will work with COMcast.
    Matt, Dec 20, 2006
  8. Evan Platt

    Ian Gregory Guest

    The type of router you are describing works as a basic
    router as far as establishing an FTP control connection but then
    it monitors that connection (effectively working one level up in
    the protocol stack), listening for which port the client or server
    (depending on active/passive mode) is about to try to connect to
    for the data connection. It then quickly opens/forwards that port
    as appropriate so that by the time the connection attempt
    occurs it passes neatly through the hole just created.

    It certainly works, but it is kind of kludgy and I can't help
    feeling that it adds an extra point of vulnerability. Not sure
    how this vulnerability would be exploited but I can certainly
    see how malware could connect out to a fake FTP server and
    then pretend to negotiate an incomming data connection which
    is actually used by some outside system to tunnel in through
    your firewall. Again, I haven't thought how that would actually
    be useful to an attacker if they already had malware running inside
    your firwall but that may just be a lack of imagination or insufficient
    thought, so I would always turn off any such intelligent features
    of any router I had if possible.

    For the most part, things that were once made available by anonymous
    FTP are now provided over HTTP, which just requires a single outgoing
    TCP connection (or by bittorrent, which has some of the same sort of
    firewall issues as FTP). If I want to transfer files to/from the
    server where I have a shell account then FTP is not an option -
    they don't allow it because it is insecure. I have to do all transfers
    using rsync over an ssh connection but that suits me fine because rsync
    is much nicer than FTP anyway.

    Ian Gregory, Dec 20, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.