Currently (Build ID: 2002040706) there is no way to do an active FTP transfer, it is only possible to do a passive ftp transfer. There should be a way to select always active, passive if possible or always passive. The reason that this is required is that some "unusually" configured firewalls only allow active FTP sessions, and not passive. Even worse, with this form of firewall, passive FTP connections fail silently, thus not allowing the code to fall back to active FTP (if it can).
Status: UNCONFIRMED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE
REOPEN: this bug is distinct from other duplicated PORT bugs, because it specifically asks for a mode switch of some kind (similar to the FTP mode switch in Netscape Proxy Server 3.5). This would need to be implemented after bug 465 is fixed. reporter: if you know of any specific products that have this behavior, please include them here.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Hi Benjamin, Sadly, I don't know of any product that has this behaviour. It occurred on our site since there was a linux firewall in the middle. It had the mod_ftp loaded, and so could handle associated connections, but it refused all incoming connections (except to a few specific ports). So this was a broken firewall configuration, but by using a normal FTP program I could access FTP, just not with Mozilla. Hence, I put in this bug report. Cheers, Paul
P: thanks! We appreciate these types of bug reports, they help make sure we cover all the unusual situations.
OK, but this can't happen til bug 465 is fixed.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → Future
I have no time to work on mozilla at the moment, so dougt is taking over FTP open ftp bugs -> him
Assignee: bbaetz → dougt
I think I just saw this bug while traying to connect to a DLink di-704 firewall router which is forwarding ports 80, 21 and 22 to a win2k server. I can connect using http with mozilla (I get the main web page) but, when I try to connect via ftp, I get a connection refused dialog box. When I try to connect to ftp://anonymous@server, I get a password dialog and then a connection refused dialog after typing anon passwd. Connecting from the command line works fine, however.
... where 80 is http, 21 is ftp control port and 22 is the ftp data port in active mode.
*** Bug 140253 has been marked as a duplicate of this bug. ***
*** Bug 225897 has been marked as a duplicate of this bug. ***
Ok, I've never run into this before, but now I am at a site which won't allow any form of passive ftp, but active ftp works fine. Too bad I have to switch to IE (that already has this option) or some extension like FireFTP to get some files.
Okay, just keep in mind that port 20 is the data-port for active FTP, 22 is for ssh! :)
Wow! Did I just add to a bugreport as old as 2002, which is *NOT* assigned yet? Geez.. Severity : Enhancement? I think not, severe bug. When people switch to IE i order to have a functionnality which should exist already, this is major! Anyhow..
As I reported in bug 465, I arrived here because last week our network admins shut off passive FTP to the outside world for 80,000+ nodes on our network. The firewall requires active mode FTP on port 20. Now Firefox is literally useless for FTP. Coincidentally, the State of California only makes certain files available by FTP, and consequently I can no longer use Firefox at work. Yay. If it matters to anyone, they are using Cisco Firewall Services Module 7600.
Is there any progress on that bug? I see that bug 465 is also stuck :-( P.S. Well, even IE has the feature. As well as KDE's Konqueror. Even Safari does it in some weird way. Ff/Mozilla & Opera are the only two who can't active FTP.
One reason a network admin might disallow passive ftp is because you never know (at ruleset generation time) what port it's going to use, so in order to allow it you have to allow RELATED traffic (IP Tables terminology) through on pretty much any port. Thus you are relying absolutely on the RELATED bit to never get set when it shouldn't, which from a defense-in-depth perspective is rather suboptimal. (This is of course somewhat paranoid, but where network administrators are concerned a bit of paranoia is sort of an occupational hazard.) With active ftp, not only is the connection marked as RELATED by the connection tracking module, but it's _also_ on a known standard port. (Yes, on the other hand, it's an incoming connection, rather than an outgoing one. Not all network admins feel exactly the same way about these issues, obviously.) Arguing the other side, simple firewalls sometimes allow all outgoing traffic regardless but don't do any connection tracking, in which case passive ftp is easier to support. If I had to guess I would say this is probably the more common case. So on any given network one or the other may be permitted, or both, or neither, depending on the firewall and local policy. For the client software (e.g., Firefox), I can think of no compelling security reason *not* to support both, at least optionally. The arguments against letting one or the other through a firewall have mostly to do with the possibility that for some reason something *other* than the intended client software might end up handling the client side of the connection; if the firewall lets the traffic through anyway, the client software may as well take advantage of that. What it's safe to implement (or allow) on the server side is another matter, but let the server software devs (or server admins) sort that out for themselves.
mass reassigning to nobody.
Assignee: dougt → nobody
Status: NEW → RESOLVED
Last Resolved: 17 years ago → 9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.