From: lawries@btinternet.com
Date: Thu Apr 10 2003 - 09:15:38 EDT
I have had no replies to this one yet but,
The error message:
425 Can't build data connection: Connection refused.
My investigations all point to a network issue relating to firewalls.
One suggestion is to use passive FTP. You can try this the Tru64 ftpd
supports passive mode FTP. The Tru64 FTP server chooses random high-numbered
port for the return FTP-data connection, which thus can't be
tunnelled, unless the client instructs the server to use PASV mode.
As the Tru64 FTP server uses separate TCP connections for data
transfer (which includes directory listings), on dynamically-negotiated
ports. This would explain the irratic behaviour you have noted when useing
a DOS FTP session. As FTP uses dynamic port allocation, it would only
take for one closed port to be encountered to queer the session.
When you establish a connection to an FTP server the actual port numbers used vary a great deal.
There are two types of FTP connection and they are described below:
Active FTP Operation:
The active mode of operation is less secure than the passive mode.
This mode of operation complicates the construction of firewalls,
because the firewall must anticipate the connection from the FTP
server back to the client program.
The steps of this mode of operation are discussed below:
The client opens a control channel (port 21) to the server and tells
the server the port number to respond on. This port number is a
randomly determined port greater than 1023.
The server receives this information and sends the client an acknowledgement "OK" (ack).
The client and server exchange commands on this control connection.
When the user requests a directory listing or initiates the sending or receiving of a file,
the client software sends a "PORT" command that includes a port number > 1023 that the
client wishes the server to use for the data connection.
The server then opens a data connection from port 20 to the client's port number,
as provided to it in the "PORT" command.
Passive FTP Operation:
This mode of operation is assumed to be more secure because all the connections
are being initiated from the client, so there is less chance that the connection
will be compromised. The reason it is called passive is that the server performs
a "passive open." The steps of this mode of operation are discussed below:
In passive FTP, the client opens a control connection on port 21 to the server,
and then requests passive mode through the use of the "PASV" command.
The server agrees to this mode, and then selects a random port number (>1023).
It supplies this port number to the client for data transfer.
The client receives this information and opens a data channel to the server assigned port.
The server receives the data and sends an "OK" (ack).
You will need to allow connections that originate from the server on ports larger
than 1024 (the dynamic ports for TCP/IP) to be allowed out.
Note that for security, do not allow the reverse.
Other ideas:
Sounds like port 21 is open on a firewall, and port 20 is closed.
You could try using the "sendport" ftp command which toggles
the use of separate data connection for data exchange.
You could try the "trace" ftp command which toggles packet tracing
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:15 EDT