haberg@math.su.se (Hans Aberg) writes:

> I have encountered a site where (non-anonymous) FTP from a GUI works fine,
> but not from the console. The latter gives results like:
>
> $ ftp user@ftp.foobar.se
> Connected to ftp.foobar.basefarm.net.
> 220 FTP-server at your command
> 331 Password required for user.
> Password:
> 230 Access granted for user
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 229 Entering Extended Passive Mode (|||54043|)
> 200 EPRT command successful
> 425 Unable to build data connection: Connection refused
> ftp>
> ...
>
> So I wonder:
> * What commands might the GUI FTP program (that works) send?
> * What might cause the error above?

Connection refused indicates some network port blocking going on.

Try the

ftp> pasv

command as the first command you enter to set it to use passive mode,
which perhaps the console ftp client is trying automagically.



--
Todd H.
http://www.toddh.net/

In article <844pmne41n.fsf@ripco.com>, comphelp@toddh.net (Todd H.) wrote:

> > I have encountered a site where (non-anonymous) FTP from a GUI works fine,
> > but not from the console.
....
> > 229 Entering Extended Passive Mode (|||54043|)
> > 200 EPRT command successful
> > 425 Unable to build data connection: Connection refused

> Connection refused indicates some network port blocking going on.
>
> Try the
>
> ftp> pasv
>
> command as the first command you enter to set it to use passive mode,
> which perhaps the console ftp client is trying automagically.

Thanks for the suggestion. My /usr/bin/ftp (Mac OS X, version 10.4.9)
calls that command 'passive'. No, that*does not help, and none of the
other options.

I just found out that 'ncftp' works. The GUI
program that works (Transmit) uses the library version of this program.

It is a strange thing though, that the standard UNIX 'ftp' does not work.

Hans Aberg

In article ,
haberg@math.su.se (Hans Aberg) wrote:

> In article <844pmne41n.fsf@ripco.com>, comphelp@toddh.net (Todd H.) wrote:
>
> > > I have encountered a site where (non-anonymous) FTP from a GUI works fine,
> > > but not from the console.
> ...
> > > 229 Entering Extended Passive Mode (|||54043|)
> > > 200 EPRT command successful
> > > 425 Unable to build data connection: Connection refused
>
> > Connection refused indicates some network port blocking going on.
> >
> > Try the
> >
> > ftp> pasv
> >
> > command as the first command you enter to set it to use passive mode,
> > which perhaps the console ftp client is trying automagically.
>
> Thanks for the suggestion. My /usr/bin/ftp (Mac OS X, version 10.4.9)
> calls that command 'passive'. No, that*does not help, and none of the
> other options.
>
> I just found out that 'ncftp' works. The GUI
> program that works (Transmit) uses the library version of this program.
>
> It is a strange thing though, that the standard UNIX 'ftp' does not work.

Are you going through a NAT router of some kind? It might not recognize
the EPRT command, so it's not opening up the correct port.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

In article , Barry
Margolin wrote:

> > > > I have encountered a site where (non-anonymous) FTP from a GUI
works fine,
> > > > but not from the console.
> > ...
> > > > 229 Entering Extended Passive Mode (|||54043|)
> > > > 200 EPRT command successful
> > > > 425 Unable to build data connection: Connection refused
> >
> > > Connection refused indicates some network port blocking going on.

> > I just found out that 'ncftp' works. The GUI
> > program that works (Transmit) uses the library version of this program.
> >
> > It is a strange thing though, that the standard UNIX 'ftp' does not work.
>
> Are you going through a NAT router of some kind?

No network address translation - I have a full IP address on my own. :-)

> It might not recognize
> the EPRT command, so it's not opening up the correct port.

I have used the program /usr/bin/ftp on several other sites, with no
problems, plus the program ncftp works. So the problems do not seem to be
with me. And above, it is said that the EPRT command is successful, but is
"unable to build data connection". And I have tried indicating the port
explicitly.

I can do:
ftp> system
215 UNIX Type: L8
But I am not sure what "L8" is.

Hans Aberg

In article ,
haberg@math.su.se (Hans Aberg) wrote:

> In article , Barry
> Margolin wrote:
>
> > > > > I have encountered a site where (non-anonymous) FTP from a GUI
> works fine,
> > > > > but not from the console.
> > > ...
> > > > > 229 Entering Extended Passive Mode (|||54043|)
> > > > > 200 EPRT command successful
> > > > > 425 Unable to build data connection: Connection refused
> > >
> > > > Connection refused indicates some network port blocking going on.
>
> > > I just found out that 'ncftp' works. The GUI
> > > program that works (Transmit) uses the library version of this program.
> > >
> > > It is a strange thing though, that the standard UNIX 'ftp' does not work.
> >
> > Are you going through a NAT router of some kind?
>
> No network address translation - I have a full IP address on my own. :-)
>
> > It might not recognize
> > the EPRT command, so it's not opening up the correct port.
>
> I have used the program /usr/bin/ftp on several other sites, with no
> problems, plus the program ncftp works. So the problems do not seem to be
> with me. And above, it is said that the EPRT command is successful, but is
> "unable to build data connection". And I have tried indicating the port
> explicitly.

The EPRT command simply tells the server what port to connect to; its
success doesn't mean much. But it doesn't actually try to connect to it
until the client sends the STOR or RECV command that initiates the file
transfer. The error you're getting indicates that when it tries to
connect to this port, it fails because your machine isn't listening on
the port. I don't know why this would happen if there's no NAT box in
the way.

Does this happen with all FTP servers, or just this one? Maybe there's
a firewall at the server site and it doesn't understand EPRT.

>
> I can do:
> ftp> system
> 215 UNIX Type: L8
> But I am not sure what "L8" is.

It's the default transfer type that the server uses. L8 means that it
sends 8-bit bytes in local format. It has nothing to do with this issue.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

In article , Barry
Margolin wrote:

> Does this happen with all FTP servers, or just this one?

It happens only at my ISPs site when using the standard /usr/bin/ftp that
comes with Mac OS X, version 10.4.9 (latest), but no other site I know of
and ncftp works on this site as well.

> Maybe there's
> a firewall at the server site and it doesn't understand EPRT.

It could be that the server cannot handle EPRT correctly: When I check the
log of "Transmit", which uses the ncftp library, it does not seem to issue
an EPRT command.

> The EPRT command simply tells the server what port to connect to; its
> success doesn't mean much. But it doesn't actually try to connect to it
> until the client sends the STOR or RECV command that initiates the file
> transfer. The error you're getting indicates that when it tries to
> connect to this port, it fails because your machine isn't listening on
> the port. I don't know why this would happen if there's no NAT box in
> the way.

So then this might explain the error message I get:
> > > > > 200 EPRT command successful
> > > > > 425 Unable to build data connection: Connection refused
Then my client /usr/bin/ftp might issue an EPRT, and then the server fails
to recognize it properly, and of course, the data connection fails.

Hans Aberg

In article ,
haberg@math.su.se (Hans Aberg) wrote:

> In article , Barry
> Margolin wrote:
>
> > Does this happen with all FTP servers, or just this one?
>
> It happens only at my ISPs site when using the standard /usr/bin/ftp that
> comes with Mac OS X, version 10.4.9 (latest), but no other site I know of
> and ncftp works on this site as well.
>
> > Maybe there's
> > a firewall at the server site and it doesn't understand EPRT.
>
> It could be that the server cannot handle EPRT correctly: When I check the
> log of "Transmit", which uses the ncftp library, it does not seem to issue
> an EPRT command.
>
> > The EPRT command simply tells the server what port to connect to; its
> > success doesn't mean much. But it doesn't actually try to connect to it
> > until the client sends the STOR or RECV command that initiates the file
> > transfer. The error you're getting indicates that when it tries to
> > connect to this port, it fails because your machine isn't listening on
> > the port. I don't know why this would happen if there's no NAT box in
> > the way.
>
> So then this might explain the error message I get:
> > > > > > 200 EPRT command successful
> > > > > > 425 Unable to build data connection: Connection refused
> Then my client /usr/bin/ftp might issue an EPRT, and then the server fails
> to recognize it properly, and of course, the data connection fails.

If the server didn't recognize EPRT, it wouldn't respond "200 EPRT
command successful".

This is why I think that the problem is due to a device *between* the
client and server. The device is passing the EPRT command and response
through transparently, but isn't recognizing that it needs to open the
port that's mentioned in the command. Most NAT boxes and firewalls
special-case the PORT command, and they need to handle EPRT similarly,
but they might not.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

In article , Barry
Margolin wrote:

> > So then this might explain the error message I get:
> > > > > > > 200 EPRT command successful
> > > > > > > 425 Unable to build data connection: Connection refused
> > Then my client /usr/bin/ftp might issue an EPRT, and then the server fails
> > to recognize it properly, and of course, the data connection fails.
>
> If the server didn't recognize EPRT, it wouldn't respond "200 EPRT
> command successful".
>
> This is why I think that the problem is due to a device *between* the
> client and server. The device is passing the EPRT command and response
> through transparently, but isn't recognizing that it needs to open the
> port that's mentioned in the command. Most NAT boxes and firewalls
> special-case the PORT command, and they need to handle EPRT similarly,
> but they might not.

OK. But the EPRT command is somehow not handled properly. It may then not
actually be the server software that is at fault. But I just have modem,
no router.

I notice now, that when I use the same /usr/bin/ftp on other sites, no
EPRT command is issued. For example, the chess program Crafty's site:
$ ftp ftp://ftp.cis.uab.edu/pub/hyatt/
....
ftp> ls
229 Entering Extended Passive Mode (|||47472|)
150 Here comes the directory listing.
....

This is different from my ISPs ftp site:
ftp> ls
229 Entering Extended Passive Mode (|||58390|)
200 EPRT command successful
425 Unable to build data connection: Connection refused
....

So, so somehow, EPRT shows up when /usr/bin/ftp is used on this site, but
not with other ftp programs on this site, nor this program on other sites.
Peculiar. :-)

Hans Aberg

In article ,
haberg@math.su.se (Hans Aberg) wrote:

> OK. But the EPRT command is somehow not handled properly. It may then not
> actually be the server software that is at fault. But I just have modem,
> no router.

You don't have a router, but there could be one at the SERVER end. I
said this several messages upthread.

>
> I notice now, that when I use the same /usr/bin/ftp on other sites, no
> EPRT command is issued. For example, the chess program Crafty's site:
> $ ftp ftp://ftp.cis.uab.edu/pub/hyatt/
> ...
> ftp> ls
> 229 Entering Extended Passive Mode (|||47472|)
> 150 Here comes the directory listing.
> ...
>
> This is different from my ISPs ftp site:
> ftp> ls
> 229 Entering Extended Passive Mode (|||58390|)
> 200 EPRT command successful
> 425 Unable to build data connection: Connection refused
> ...
>
> So, so somehow, EPRT shows up when /usr/bin/ftp is used on this site, but
> not with other ftp programs on this site, nor this program on other sites.
> Peculiar. :-)

Try turning on debug mode to see all the commands and replies.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

In article , Barry
Margolin wrote:

> You don't have a router, but there could be one at the SERVER end. I
> said this several messages upthread.

I understood that you thought it might be some hardware on the server side.

> > So, so somehow, EPRT shows up when /usr/bin/ftp is used on this site, but
> > not with other ftp programs on this site, nor this program on other sites.
> > Peculiar. :-)
>
> Try turning on debug mode to see all the commands and replies.

On the site:
ftp> ls
---> TYPE A
200 Type set to A
---> EPSV
229 Entering Extended Passive Mode (|||55291|)
---> EPRT |1|83.250.192.69|52641|
200 EPRT command successful
---> LIST
425 Unable to build data connection: Connection refused

Here, 83.250.192.69 is the IP-number of my machine. I don't know what the
|1| and |52641| parts mean.

On another site:
$ ftp -d ftp://alpha.gnu.org/
....
ftp> ls
---> TYPE A
200 Switching to ASCII mode.
---> EPSV
229 Entering Extended Passive Mode (|||15250|)
---> LIST
150 Here comes the directory listing.
....

The only difference I can note is that the EPRT command isn't issued. When
the EPRT command is being issued, it becomes successful, but the LIST
command following it fails. When the EPRT command isn't issued, the LIST
command following it has no problems.

Hans Aberg

In article ,
haberg@math.su.se (Hans Aberg) wrote:

> In article , Barry
> Margolin wrote:
>
> > You don't have a router, but there could be one at the SERVER end. I
> > said this several messages upthread.
>
> I understood that you thought it might be some hardware on the server side.
>
> > > So, so somehow, EPRT shows up when /usr/bin/ftp is used on this site, but
> > > not with other ftp programs on this site, nor this program on other sites.
> > > Peculiar. :-)
> >
> > Try turning on debug mode to see all the commands and replies.
>
> On the site:
> ftp> ls
> ---> TYPE A
> 200 Type set to A
> ---> EPSV
> 229 Entering Extended Passive Mode (|||55291|)
> ---> EPRT |1|83.250.192.69|52641|
> 200 EPRT command successful
> ---> LIST
> 425 Unable to build data connection: Connection refused
>
> Here, 83.250.192.69 is the IP-number of my machine. I don't know what the
> |1| and |52641| parts mean.

1 means IPv4 (it would be 2 for IPv6), and 52641 is the port number that
the client is listening for data connections on.

I'm not sure why it's doing this when it has already negotiated passive
mode. Maybe it encountered an error trying to connect to the server on
port 55291, so it's trying active mode as a fallback.

Can you run a sniffer and see if it's trying to connect to 55291?

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

In article , Barry
Margolin wrote:

> > On the site:
> > ftp> ls
> > ---> TYPE A
> > 200 Type set to A
> > ---> EPSV
> > 229 Entering Extended Passive Mode (|||55291|)
> > ---> EPRT |1|83.250.192.69|52641|
> > 200 EPRT command successful
> > ---> LIST
> > 425 Unable to build data connection: Connection refused
> >
> > Here, 83.250.192.69 is the IP-number of my machine. I don't know what the
> > |1| and |52641| parts mean.
>
> 1 means IPv4 (it would be 2 for IPv6), and 52641 is the port number that
> the client is listening for data connections on.
>
> I'm not sure why it's doing this when it has already negotiated passive
> mode. Maybe it encountered an error trying to connect to the server on
> port 55291, so it's trying active mode as a fallback.
>
> Can you run a sniffer and see if it's trying to connect to 55291?

Then you will have to instruct me. :-) Though mentioned before, ncftp on
the same site does not result in the EPRT command being issued, nor does
it happens with ftp on other sites. So there is something specific in the
combination of /usr/bin/ftp interacting with this particular site.

Hans Aberg

In article ,
haberg@math.su.se (Hans Aberg) wrote:

> In article , Barry
> Margolin wrote:
>
> > > On the site:
> > > ftp> ls
> > > ---> TYPE A
> > > 200 Type set to A
> > > ---> EPSV
> > > 229 Entering Extended Passive Mode (|||55291|)
> > > ---> EPRT |1|83.250.192.69|52641|
> > > 200 EPRT command successful
> > > ---> LIST
> > > 425 Unable to build data connection: Connection refused
> > >
> > > Here, 83.250.192.69 is the IP-number of my machine. I don't know what the
> > > |1| and |52641| parts mean.
> >
> > 1 means IPv4 (it would be 2 for IPv6), and 52641 is the port number that
> > the client is listening for data connections on.
> >
> > I'm not sure why it's doing this when it has already negotiated passive
> > mode. Maybe it encountered an error trying to connect to the server on
> > port 55291, so it's trying active mode as a fallback.
> >
> > Can you run a sniffer and see if it's trying to connect to 55291?
>
> Then you will have to instruct me. :-) Though mentioned before, ncftp on
> the same site does not result in the EPRT command being issued, nor does
> it happens with ftp on other sites. So there is something specific in the
> combination of /usr/bin/ftp interacting with this particular site.

In another Terminal window do:

sudo tcpdump -s 1500 -w filename host servername

then do the ftp in the first terminal window. After the error, go to
the tcpdump window, type Control-C, and then mail me the file.

--
Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***