Ok, I'm hoping someone can give me a hand as I'm out of ideas.

I have Novell's FTP server running on a 6.5sp6 Netware box.

If I unload ipflt on my border 3.9 box everything works fine.

With the filters only ACTIVE connections work. PASV connections the user
can login and at the PASV command the connection hangs, receives a blocking
call and disconnects after maybe a minute or two.

I've used the builtin BM filter ftp_port_pasv_st This has added not
only this exception in my filter list but two for DNS.

However it doesn't work.

What is the trick to getting incoming PASV ftp connections to work without
opening out ever port to my netware box.

Thank you

tim

Tim,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://support.novell.com/forums/

In article <xF8mk.14762$g35.6441@kovat.provo.novell.com>, Tim Ashman wrote:
> What is the trick to getting incoming PASV ftp connections to work without
> opening out ever port to my netware box.
>
You talking about FTP reverse proxy, FTP over NAT for inbound? I'm not
sure that PASV mode works over a NAT connection - filtering off or not.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Craig Johnson wrote:

> In article <xF8mk.14762$g35.6441@kovat.provo.novell.com>, Tim Ashman
> wrote:
>> What is the trick to getting incoming PASV ftp connections to work
>> without opening out ever port to my netware box.
>>
> You talking about FTP reverse proxy, FTP over NAT for inbound? I'm not
> sure that PASV mode works over a NAT connection - filtering off or not.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***

The ftp server works when I unload ipflt's. With the filters up I get to
the username and password, then it hangs. I've seen others post about this
problem but I never saw a resolution, I'm using the bordermanager filter
exceptions, and if I do an active connection it works but passive it hangs.

I also read somewhere that if I host the "netware" ftp server on the
bordermanager it will work since I could then use the ftp proxy but I don't
really want to do that.

My main reason for using the netware ftp is that I wish to easily control
access to the upload and download directories.

Any help would be great. I can also post the error or hang that I get.

thanks craig

tim

In article <v5Duk.2748$gS5.951@kovat.provo.novell.com>, Tim Ashman wrote:
> Any help would be great. I can also post the error or hang that I get.
>
Be sure you have only ONE inbound FTP filter exception -
ftp-port-pasv-st. If you have several, they can overlap and interfere
with each other.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

Craig Johnson wrote:

> In article <v5Duk.2748$gS5.951@kovat.provo.novell.com>, Tim Ashman wrote:
>> Any help would be great. I can also post the error or hang that I get.
>>
> Be sure you have only ONE inbound FTP filter exception -
> ftp-port-pasv-st. If you have several, they can overlap and interfere
> with each other.
>
> Craig Johnson
> Novell Support Connection SysOp
> *** For a current patch list, tips, handy files and books on
> BorderManager, go to http://www.craigjconsulting.com ***

I only have one incoming (for the server) and one outgoing for normal user
ftp usage. The two filters are basically setup like this

Both are ftp-port-pasv-st

for the users I go from interface private to public stateful with no
destination restrictions.

for the ftp server I go from interface public to private and have the
destination set to my internal ftp server.

I just checked again and here is the output from my attempt to use the ftp
server. I can login successfully but as soon as I try any command like ls
this happens.

331 Password Needed for Login
Password:
230 User guest Logged in Successfully
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 'EPSV' : Unknown Command

any help would be great. Like I said before if I unload ipflt on the
bordermanager the ftp works great.

thanks

tim

Tim Ashman wrote:


> 500 'EPSV' : Unknown Command

Disable EPSV, probaly EPSV4, on your ftp client.

Gonzalo

Mysterious wrote:

> Tim Ashman wrote:
>
>
>> 500 'EPSV' : Unknown Command
>
> Disable EPSV, probaly EPSV4, on your ftp client.
>
> Gonzalo

Thank you, I'll have a look, however the problem is that I don't want to
have to tell everyone who uses this service to do that. It just needs to
work, Is this the protocol that the border manager is getting hung up on?

tim

Tim Ashman wrote:
> Mysterious wrote:
>
>> Tim Ashman wrote:
>>
>>
>>> 500 'EPSV' : Unknown Command
>> Disable EPSV, probaly EPSV4, on your ftp client.
>>
>> Gonzalo
>
> Thank you, I'll have a look, however the problem is that I don't want to
> have to tell everyone who uses this service to do that. It just needs to
> work, Is this the protocol that the border manager is getting hung up on?
>
> tim

could be. After the 500 code, server should send a 2xx entering pasv
mode. Could be that this one is failing. To be sure, use pktscan.nlm at
the bm server and take 2 traces, one with filters, one without and
compare them to see which one is failing. If you disable EPSV and then
it works with the standard pasv filter, then you've found the issue.

Gonzalo