On Saturday 26 August 2006 10:49, stephan beal wrote: Problem solved: someone pointed out to me that tftp is not ftp. After installing vsftpd it more or less works. (i can connect but can't upload/download. It appears to be a firewall problem, but i'm waiting on the local admin to disable the firewall so i can test.) ************************************************************************************** The firewall needs to be specifically configured for FTP; on the Cisco pix enter fixup protocol ftp 21 (this is enabled by default). Alternatively, use passive mode FTP, which negates the need for firewall reconfiguration. Standard FTP commands run over port 21, file xfers use port 20; this is why the connection works, but data xfer does not. == Here's the tech scoop from Cisco == Standard mode FTP (also called classic mode FTP) uses two channels for communication. When a client behind a firewall initiates an FTP connection from their host, it opens a standard TCP channel from one of its high-order ports (TCP source port >1023) to destination TCP port 21 on the outside server. This connection is referred to as the control channel. When the client requests data from the server, it tells the server to send the data to a given high-order port. The server acknowledges the request and initiates an inbound connection from its own port 20 to the high-order port that the client requested. This connection is referred to as the data channel (port 20 FTP-DATA). In the past, it was difficult to allow this inbound connection through the firewall to the requested port on the client without permanently opening port 20 connections from outside servers to inside clients for outbound FTP connections. This creates a huge potential vulnerability by allowing any inbound traffic from any host on the Internet with a TCP source port of 20, regardless of the intent! Passive mode FTP also uses two channels for communications. The control channel works the same as in a standard FTP connection, but the data channel setup works differently. When requesting data from the server, the client asks the server if it accepts PASV connections. If the server accepts PASV connections, it sends the client a high-order port number to use for the data channel. The client then initiates the data connection from its own high-order port to the port that the server sent. Because the client initiates both the command and data connections, early firewalls could easily support this without exposing inside clients to attack.