I am interested in your comment about Network Address Translation not being happy with FTP. Every one of my private IP's has been through 2 translations, however this is done via hardware and my assumption is that you are referring to Suse's Firewall Masquerading option (software via SPF) Via Hardware I can happily Translate 100,000 concurrent sessions without issue. Perhaps we need to sometimes remember security starts at the plug in the wall and ends at the desktop not the other way around Just a thought Scott M Harris wrote:

On Tuesday 17 April 2007 17:02, Matthew Stringer wrote:

...

What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines.

I have not run ftp /or telnet in production for years.

... the ssh tunnel is ok, but you could try scp instead of ftp.

In your situation you might try passive ftp... but either way its not the best. From the looks of things the passive connection back is not working. Standard ftp requires two sockets... one to make the connection (commands) and the other to transmit the data... looks like the data socket isn't authorized or is failing for some other reason. Are the boxes behind a firewall on an 192.168 network using NAT (masquerading)? FTP does not masquerade well without the ftp fix.

But back to my first point... really, IMHO you would do well to try scp. I move files on my systems (even to the outside) exclusively with scp... its the secure copy that ships with ssh.... can be compressed, encrypted, and frankly is more flexible than FTP IMO.

On Wednesday 18 April 2007 03:29, M Harris wrote:

On Tuesday 17 April 2007 19:52, Registration Account wrote:

...

I am interested in your comment about Network Address Translation not being happy with FTP.

hi Scott-- its a linux NAT thing. It depends on your distro... and how much you know about NAT (configuration)... but basically there are some services that have not worked well (historically) with masquerading (the linux software implementation of NAT). Special modules were always required for instance to fix irc and ftp in order to work through ip_masq. Hardware NAT may not have this problem. The thing is that some firewalls/routers are really older (very much older) linux systems using ip_masq and ip_chains, and may not be setup properly with the fix modules for ftp and irc. So, its something to look into.

-- Kind regards,

M Harris <>< Tell your users to use passive mode... This uses the current (working) connection to transfer the data.

Jerry P.S. I have my clients install winscp3. It's free and simple to use, therefore they manage to use scp.... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

M Harris wrote:

On Tuesday 17 April 2007 17:02, Matthew Stringer wrote:

...

What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines. I have not run ftp /or telnet in production for years.

... the ssh tunnel is ok, but you could try scp instead of ftp.

In your situation you might try passive ftp... but either way its not the best. From the looks of things the passive connection back is not working. Standard ftp requires two sockets... one to make the connection (commands) and the other to transmit the data... looks like the data socket isn't authorized or is failing for some other reason. Are the boxes behind a firewall on an 192.168 network using NAT (masquerading)? FTP does not masquerade well without the ftp fix.

But back to my first point... really, IMHO you would do well to try scp. I move files on my systems (even to the outside) exclusively with scp... its the secure copy that ships with ssh.... can be compressed, encrypted, and frankly is more flexible than FTP IMO.

True SCP is preferable but I have users running a Win32 program that only uses FTP so I can't use SFTP or SCP or anything else here. All machines are on the internet, no NAT'ing or internal networks here. What I don't understand is that if I use ftp -A localhost -p xxxxx it still tries the passive mode rather than forcing active. Matthew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

On 4/18/07, David Brodbeck wrote:

Matthew Stringer wrote:

...

True SCP is preferable but I have users running a Win32 program that only uses FTP so I can't use SFTP or SCP or anything else here. All machines are on the internet, no NAT'ing or internal networks here.

Any chance you can get them to use WinSCP? It's a fairly user-friendly Windows SCP/SFTP/FTP client. http://winscp.net/eng/index.php

First -- Can't you see the text that you quoted from the OP? His users have *some win32 app* that uses FTP -- my guess is he means that the win32 app has an ftp process built into it.. Second -- I prefer to point people to filezilla, as it is published under the GPL - winscp is not: http://sourceforge.net/projects/filezilla/ works great, easy to use -- all the advantages of winscp and GPL, too Peter -- "Do not be idolatrous or bound to any doctrine, theory or ideology, even Buddhist ones. All systems of thought are guiding means, not absolute truth." Thich Nhat Hanh, Vietnamese monk. http://www.seaox.com/thich.html www.the-brights.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Peter Van Lone wrote:

On 4/18/07, Peter Van Lone erroneously and egregiously wrote:

...

Second -- I prefer to point people to filezilla, as it is published under the GPL - winscp is not:

well shit ...

I have to retract my comment. I was certain that winscp was a closed source product ... at least that is what I have believed for a couple years, now.

But, I just checked, and I find:

"License

WinSCP is free, open-source software, and is distributed under the GNU General Public License (GPL). [More"

I am really sorry. I still also like filezilla, but I have to take back all the things I've said about winscp.

Peter Bit surprised no-one has mentioned PuTTY a rather useful SFTP and SSH set of tools, also opensource, multi-plaform (although I have yet to get the Symbian variant to work on my 9500 :-)). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Tue, 17 Apr 2007, by harrismh777@earthlink.net:

On Tuesday 17 April 2007 17:02, Matthew Stringer wrote:

...

What I'm hoping to achieve is to create a bastion host box that allows SSH connections from anywhere, I can then create users on that box who'll be able to create an SSH tunnel to the FTP machines. I have not run ftp /or telnet in production for years.

... the ssh tunnel is ok, but you could try scp instead of ftp.

In your situation you might try passive ftp... but either way its not the best. From the looks of things the passive connection back is not working. Standard ftp requires two sockets... one to make the connection (commands) and the other to transmit the data... looks like the data socket isn't authorized or is failing for some other reason. Are the boxes behind a firewall on an 192.168 network using NAT (masquerading)? FTP does not masquerade well without the ftp fix.

But back to my first point... really, IMHO you would do well to try scp. I move files on my systems (even to the outside) exclusively with scp... its the secure copy that ships with ssh.... can be compressed, encrypted, and frankly is more flexible than FTP IMO.

If scp, or sFTP would only support virtual user. I'd like to offer users on the FTP server I maintain scp/sFTP, but setting up chroot/scponly is just too much hassle compared to the simple vsftp virtual user setup. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.18 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org