Network Configuration: Difference between revisions

From FileZilla Wiki
Jump to navigationJump to search
m (typo)
(Add troubleshooting section)
Line 74: Line 74:


== Setting up FileZilla Server ==
== Setting up FileZilla Server ==
== Troubleshooting ==
Unfortunately, many personal firewalls and consumer routers are flawed or in some cases, are even actively sabotaging FTP (e.g. [http://www.gbnetwork.co.uk/smcftpd/ SMC Barricade V1.2]).
First of all, you should keep everything up-to-date. This includes the firewall software as well as the firmware version in your router.
If that does not help, you might want to try to '''uninstall''' your firewall to see what happens. Simply disabling your firewall might not work, quite some firewalls cannot be fully disabled.
If possible, try to connect directly to the internet without a router.
If you are trying to setup a server and it works fine within your LAN but is not reachable from the outside, try changing the listening port. Some ISPs don't like its customers to host servers and block ports < 1024.

Revision as of 19:33, 19 April 2007

Setting up FTP is not easy. Since thousands of different firewalls and router models exist, it is impossible to give detailed step-by-step instructions suitable for every user. So in order to configure FileZilla as well as the routers/firewalls involved, it is important for the user to understand the basics of the FTP protocol. This documentation describes the history of the FTP protocol and how some aspects of the protocol work. Please read it carefully, it will save you a lot of trouble setting up FTP.

Background

This section will give a short overview about the historical and technical background of the FTP protocol. For detailed in-depth information, please have a look at the specifications.

Historical Background

In the fast living world of the Internet the FTP protocol is not just old, it's ancient. Early drafts of the FTP protocol range back as far as 1971, with the current specifications being from 1985. During the past two decades, the FTP protocol hasn't changed at all in its core. The protocol might even be older than You!

Back then, the Internet was mainly used by universities and research centers. The community was small, most users knew each other and all were collaborating together. The internet was a friendly place. Security was not a big issue. People either did not know about that topic or were ignorant to it.

Since then, a lot has changed. Technology advanced way faster than anyone imagined and a new generation of users was born and grew up. The Internet is now ubiquitous, with millions of users communicating with each other in many different ways. One more thing has changed: The internet is now a hostile place. The availability and openess of the internet also attracted malicious users who are actively exploiting design flaws, bugs and the inexperience of other users. A well known software company located in Redmond certainly played a part in this.

Some of the by-products of this development are the following:

  • NAT routers. Most of the internet uses the IPv4 protocol which has a very limited address range. Thanks to NAT routers, multiple systems can easily share the same external IP address.
  • Personal firewalls which are designed to protect the user from flaws in the operating system and the applications running on top of it.

These products tend to conflict with the FTP protocol more often than not. To make things worse, some of them even have flaws themselves, causing additional problems regarding FTP.

With proper configuration however, FTP still works as a mature, reliable way to transfer files.

Technical background

What distinguishes FTP from most other protocols is the use of secondary connections for file transfers. If you connect to an FTP server, you establish the so-called control connection, over which the FTP commands and their replies are transferred. In order to transfer a file or a directory listing, the client sends some command over the control connection to establish the data connection.

This data connection can be established in two difference ways, called active mode and passive mode.

In passive mode, which is the recommended mode, the client sends the PASV command to the server, and the server responds with an address. The client then issues a command to transfer a file or to get a directory listing and establishes a secondary connection to the address returned by the server.

In active mode, the client opens socket on the local machine, and tells its address the server using the PORT command. Once the client issues a command to transfer a file or listing, the server will connect to the address provided by the client.

In both cases, the actual file or listing is then transferred over the data connection.

In general, establishing outgoing connections requires less configuration on the routers/firewalls involved than establishing incoming connections. In passive mode, the connection is outgoing on the client side and incoming on the server side. In active mode however, the roles are reversed: The data connection is incoming on the client side and outgoing on the server side. Please note that this only makes a difference for connection establishment: Once the data connection got established it can be used for either up- or downloads.

A common network setup might look like this:

Client <---> Firewall A <---> NAT router A <------ The Internet ------> NAT router B <---> Firewall B <--> Server

So in passive mode, the router and firewall on the server side need to be configured to accept and forward incoming connections. On the client side however, only outgoing connections have to be allowed, which will already be the case most of the time.

Analogous in active mode, the router and firewall on the client side need to be configured to accept and forward incoming connections. Apparently on the server side, only outgoing connections have to be allowed.

Since usually one server provides a service for many users, it is far easier to just configure the router and firewall on the server side once for passive mode, than to configure the client's router/firewall for each individual client in active mode. That is why passive mode is recommended.

NAT routers

For most DSL users, the DSL modem also serves as a NAT router. In a NAT environment, all systems behind the NAT router form a Local Area Network (LAN) and each system in the LAN has a local IP address. The NAT router itself has a local IP address as well. In addition to that, the NAT router also has an external IP address under which it is known to the internet. The internal IP addresses are only valid inside the LAN, for a remote system they would make no sense.

Example:

                                     +---------------------------+
+---------------+                    |             |             |
|  Computer A   |                    |            NAT            |
| 192.168.0.100 x......              |           ROUTER          |
+---------------+     .              |             |             |            To the internet
                      ...............x 192.168.0.1 | 12.34.56.78 x...................>
+---------------+     .              |             |             |
|  Computer B   |     .              |             |             |
| 192.168.0.101 x......              +---------------------------+
+---------------+

Assume a server is behind a NAT router. Imagine what happens if a client requests passive mode but the server does not know the external IP address of the NAT router. So the server sends its internal address to the client. In that case two things could happen:

  • If the client is not behind a NAT, client would abort since address is invalid.
  • If client is behind a NAT, the address given by the server might be the same of a system in the client's own LAN.

Obviously, in both cases passive mode would be impossible.

So if a server is behind a NAT router, it needs to know the external IP address of the router in passive mode. In that case, the server sends the router's external address to the client. The client then establishes a connection to the NAT router, which in turn routes the connection to the server.

Setting up FileZilla Client

Setting up FileZilla Server

Troubleshooting

Unfortunately, many personal firewalls and consumer routers are flawed or in some cases, are even actively sabotaging FTP (e.g. SMC Barricade V1.2).

First of all, you should keep everything up-to-date. This includes the firewall software as well as the firmware version in your router.

If that does not help, you might want to try to uninstall your firewall to see what happens. Simply disabling your firewall might not work, quite some firewalls cannot be fully disabled.

If possible, try to connect directly to the internet without a router.

If you are trying to setup a server and it works fine within your LAN but is not reachable from the outside, try changing the listening port. Some ISPs don't like its customers to host servers and block ports < 1024.