Switches, Hubs, and Modems
cancel
Showing results for 
Search instead for 
Did you mean: 

Can't FTP from WAN

FrAnK
Advisor

Can't FTP from WAN

Hello Guys, I have two (HP 9000) UNIX machines (D-370 & D-380) and one Windows. These are on (LAN), instead of HUB I m using (Internet Sharing Router). Assigned each machine an IP address. Locally, I can FTP from UNIX to Windows or vice versa. On my Internet sharing router, If I setup Windows as a Virtual FTP server, I can FTP to Windows, anywhere from outside (WAN). But If I setup Virtual FTP server for UNIX machine on Internet sharing router. Why I can't FTP from outside(WAN) ???
Setting up Virtual Server on Internet Sharing Router, It just redirects INCOMING request from WAN to an assigned IP address. Since it is working for windows then why can't FTP to UNIX machine from WAN, eventhough it works locally.

And is there anyway I can Telnet HP-UX or windows machines in home from WAN ? 'cuz as far I know, ISP's have firewall for security reason.

Will be waiting for help guys. Thanks


Frank
2 REPLIES
Ron Kinner
Honored Contributor

Re: Can't FTP from WAN

The first thing that comes to mind when you say FTP and firewalls is passive mode. With FTP an incoming packet would be sent to port 21 to start and control the connection. Then the data circuit would be opened by the server opening a path from its port 20 back to the 1 + the originating port number of the remote IP address. This normal behaviour of FTP really annoys firewalls which like to filter on destination ports (and 1 + the originating port is a random port) so they have added the passive mode where the data connection is made in the same direction as the original connection. Then it is a simple matter of opening port 21 and 20. Not all FTP servers support passive mode.

If you look on your Windows box that you use as the remote client (the one trying to get to the HPs) in Internet Explorer under Tools/Internet Options/Advanced you will find an option to: Use Passive FTP for...

If it is checked, uncheck it and see if you can still FTP to the Window box. If it doesn't work then your HP FTP servers are probably not supporting passive mode but your Window box does. If not checked, check it and see if you can then connect to the HPs.

You might want to reconsider using SSH instead since FTP transmits everything including the passwords in the clear.

http://www.brandonhutchinson.com/Secure_alternatives_to_telnet_and_FTP.html

As far as telnet goes - did you open port 23 on the router?

Also there are several remote console programs like PCAnywhere (some of them are free or low cost shareware) which will allow you to control a Window box remotely. Search on www.winsite.com and www.shareware.com and you will find a bunch of them. You would need to open the required port number on the router.

Ron

John Collier
Esteemed Contributor

Re: Can't FTP from WAN

Frank,

What you are describing as a problem would typically be considered a good thing from a security point of view. I wouldn't want to be able to do what you are trying to do if I were in your place. If you can do it, so can most everybody else that wants to. Given that you are using a M$ machine as your first point of entry to your private network, it doesn't seem like much at all for someone to basically take over your entire network for their own reasons.

Here's an idea for you. Spend about $15 (USD) for an OLD, low end Pentium class machine and two NIC cards. It doesn't have to be fancy, just bootable (you could save yourself the money if you have enough spare parts around to throw one together yourself).

Then, direct your web browser on your currently working machine to http://www.smoothwall.org and find their download area. Pull down the ISO for their latest distribution. Find the instructions while you are there and read through them to make sure you get it all done correctly.

Once you are done with that, you will have a dedicated router, a firewall, a DHCP server, a proxy server, and a VPN endpoint for your network.

Stop using the insecure methods of trying to connect to your network from the outside world and use the VPN and the other tools that you will now have available thanks to your minimal efforts to secure your private computers.

You will thank yourself in the long run.

One other thing you might consider taking care of since you are now in the mood to fix things. The following information was just pulled from your ITCRC user page:

ITRC member since: June 10, 2003
last contribution date: May 08, 2004
I have assigned points to 6 of 68 responses to my questions.

Experience has proven to me that you will get many more and much better answers from the Forum community in general if you take a few minutes to assign points to all of the people that volunteer their free time to try to assist you with your issues. It's just a good way to say "Thanks' since none of us get paid for doing this.

To make it easier for you to assign points to all of the ones you have missed so far, follow this link:
http://forums1.itrc.hp.com/service/forums/pageList.do?userId=CA980598&listType=unassigned&forumId=1

When that list is cleared, you will have thanked all of the people who have helped you in the past.

Be sure to let us know how this issue gets resolved. It will help the next person with a similar issue who finds your thread which is what these forums are all about.


Best of luck,
John
"I expect to pass through this world but once. Any good, therefore, that I can do, or any kindness that I can show to any human being, let me do it now. Let me not defer or neglect it, for I shall not pass this way again." Stephen Krebbet, 1793-1855