Closed
Bug 136351
Opened 23 years ago
Closed 15 years ago
There should be an option to do an active FTP file transfer
Categories
(Core :: Networking: FTP, enhancement)
Core
Networking: FTP
Tracking
()
RESOLVED
WONTFIX
Future
People
(Reporter: mozilla, Unassigned)
References
Details
Currently (Build ID: 2002040706) there is no way to do an active FTP transfer,
it is only possible to do a passive ftp transfer. There should be a way to
select always active, passive if possible or always passive.
The reason that this is required is that some "unusually" configured firewalls
only allow active FTP sessions, and not passive. Even worse, with this form of
firewall, passive FTP connections fail silently, thus not allowing the code to
fall back to active FTP (if it can).
Comment 1•23 years ago
|
||
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
REOPEN:
this bug is distinct from other duplicated PORT bugs, because it specifically
asks for a mode switch of some kind (similar to the FTP mode switch in Netscape
Proxy Server 3.5). This would need to be implemented after bug 465 is fixed.
reporter: if you know of any specific products that have this behavior, please
include them here.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Hi Benjamin,
Sadly, I don't know of any product that has this behaviour. It occurred on our
site since there was a linux firewall in the middle. It had the mod_ftp loaded,
and so could handle associated connections, but it refused all incoming
connections (except to a few specific ports).
So this was a broken firewall configuration, but by using a normal FTP program I
could access FTP, just not with Mozilla. Hence, I put in this bug report.
Cheers,
Paul
P: thanks! We appreciate these types of bug reports, they help make sure we
cover all the unusual situations.
Comment 5•22 years ago
|
||
OK, but this can't happen til bug 465 is fixed.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → Future
Comment 6•22 years ago
|
||
I have no time to work on mozilla at the moment, so dougt is taking over FTP
open ftp bugs -> him
Assignee: bbaetz → dougt
I think I just saw this bug while traying to connect to a DLink di-704 firewall
router which is forwarding ports 80, 21 and 22 to a win2k server.
I can connect using http with mozilla (I get the main web page) but, when I try
to connect via ftp, I get a connection refused dialog box. When I try to connect
to ftp://anonymous@server, I get a password dialog and then a connection refused
dialog after typing anon passwd.
Connecting from the command line works fine, however.
... where 80 is http, 21 is ftp control port and 22 is the ftp data port in
active mode.
Comment 9•22 years ago
|
||
*** Bug 140253 has been marked as a duplicate of this bug. ***
Comment 10•21 years ago
|
||
*** Bug 225897 has been marked as a duplicate of this bug. ***
Comment 11•19 years ago
|
||
Ok, I've never run into this before, but now I am at a site which won't allow
any form of passive ftp, but active ftp works fine. Too bad I have to switch to
IE (that already has this option) or some extension like FireFTP to get some files.
Flags: blocking1.9a1?
Comment 12•19 years ago
|
||
Okay, just keep in mind that port 20 is the data-port for active FTP, 22 is for
ssh! :)
Comment 13•19 years ago
|
||
Wow! Did I just add to a bugreport as old as 2002, which is *NOT* assigned yet?
Geez..
Severity : Enhancement? I think not, severe bug. When people switch to IE i
order to have a functionnality which should exist already, this is major!
Anyhow..
Comment 14•19 years ago
|
||
As I reported in bug 465, I arrived here because last week our network admins shut off passive FTP to the outside world for 80,000+ nodes on our network. The firewall requires active mode FTP on port 20. Now Firefox is literally useless for FTP. Coincidentally, the State of California only makes certain files available by FTP, and consequently I can no longer use Firefox at work. Yay.
If it matters to anyone, they are using Cisco Firewall Services Module 7600.
Updated•18 years ago
|
Flags: blocking1.9a1? → blocking1.9-
Comment 15•18 years ago
|
||
Is there any progress on that bug?
I see that bug 465 is also stuck :-(
P.S. Well, even IE has the feature. As well as KDE's Konqueror. Even Safari does it in some weird way. Ff/Mozilla & Opera are the only two who can't active FTP.
Comment 16•17 years ago
|
||
One reason a network admin might disallow passive ftp is because you never know (at ruleset generation time) what port it's going to use, so in order to allow it you have to allow RELATED traffic (IP Tables terminology) through on pretty much any port. Thus you are relying absolutely on the RELATED bit to never get set when it shouldn't, which from a defense-in-depth perspective is rather suboptimal. (This is of course somewhat paranoid, but where network administrators are concerned a bit of paranoia is sort of an occupational hazard.)
With active ftp, not only is the connection marked as RELATED by the connection tracking module, but it's _also_ on a known standard port. (Yes, on the other hand, it's an incoming connection, rather than an outgoing one. Not all network admins feel exactly the same way about these issues, obviously.)
Arguing the other side, simple firewalls sometimes allow all outgoing traffic regardless but don't do any connection tracking, in which case passive ftp is easier to support. If I had to guess I would say this is probably the more common case.
So on any given network one or the other may be permitted, or both, or neither, depending on the firewall and local policy.
For the client software (e.g., Firefox), I can think of no compelling security reason *not* to support both, at least optionally. The arguments against letting one or the other through a firewall have mostly to do with the possibility that for some reason something *other* than the intended client software might end up handling the client side of the connection; if the firewall lets the traffic through anyway, the client software may as well take advantage of that.
What it's safe to implement (or allow) on the server side is another matter, but let the server software devs (or server admins) sort that out for themselves.
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 23 years ago → 15 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•