There should be an option to do an active FTP file transfer

RESOLVED WONTFIX

Status

()

Core
Networking: FTP
--
enhancement
RESOLVED WONTFIX
17 years ago
9 years ago

People

(Reporter: P Wagland, Unassigned)

Tracking

Trunk
Future
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9 -

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

17 years ago
Currently (Build ID: 2002040706) there is no way to do an active FTP transfer,
it is only possible to do a passive ftp transfer. There should be a way to
select always active, passive if possible or always passive.

The reason that this is required is that some "unusually" configured firewalls
only allow active FTP sessions, and not passive. Even worse, with this form of
firewall, passive FTP connections fail silently, thus not allowing the code to
fall back to active FTP (if it can).
Dupe of bug 465

*** This bug has been marked as a duplicate of 465 ***
Status: UNCONFIRMED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → DUPLICATE

Comment 2

16 years ago
REOPEN:

this bug is distinct from other duplicated PORT bugs, because it specifically
asks for a mode switch of some kind (similar to the FTP mode switch in Netscape
Proxy Server 3.5). This would need to be implemented after bug 465 is fixed.

reporter: if you know of any specific products that have this behavior, please
include them here.

Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
(Reporter)

Comment 3

16 years ago
Hi Benjamin,

Sadly, I don't know of any product that has this behaviour. It occurred on our
site since there was a linux firewall in the middle. It had the mod_ftp loaded,
and so could handle associated connections, but it refused all incoming
connections (except to a few specific ports).

So this was a broken firewall configuration, but by using a normal FTP program I
could access FTP, just not with Mozilla. Hence, I put in this bug report.

Cheers,
Paul

Comment 4

16 years ago
P: thanks! We appreciate these types of bug reports, they help make sure we
cover all the unusual situations.

Updated

16 years ago
Depends on: 465
OK, but this can't happen til bug 465 is fixed.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Target Milestone: --- → Future
I have no time to work on mozilla at the moment, so dougt is taking over FTP

open ftp bugs -> him
Assignee: bbaetz → dougt

Comment 7

16 years ago
I think I just saw this bug while traying to connect to a DLink di-704 firewall
router which is forwarding ports 80, 21 and 22 to a win2k server.

I can connect using http with mozilla (I get the main web page) but, when I try
to connect via ftp, I get a connection refused dialog box. When I try to connect
to ftp://anonymous@server, I get a password dialog and then a connection refused
dialog after typing anon passwd.
Connecting from the command line works fine, however.

Comment 8

16 years ago
... where 80 is http, 21 is ftp control port and 22 is the ftp data port in
active mode.
*** Bug 140253 has been marked as a duplicate of this bug. ***

Comment 10

15 years ago
*** Bug 225897 has been marked as a duplicate of this bug. ***

Updated

14 years ago
Blocks: 245908

Comment 11

13 years ago
Ok, I've never run into this before, but now I am at a site which won't allow
any form of passive ftp, but active ftp works fine. Too bad I have to switch to
IE (that already has this option) or some extension like FireFTP to get some files.
Flags: blocking1.9a1?

Comment 12

13 years ago
Okay, just keep in mind that port 20 is the data-port for active FTP, 22 is for
ssh! :)

Comment 13

13 years ago
Wow! Did I just add to a bugreport as old as 2002, which is *NOT* assigned yet?
Geez..

Severity : Enhancement? I think not, severe bug.  When people switch to IE i
order to have a functionnality which should exist already, this is major!

Anyhow..

Comment 14

13 years ago
As I reported in bug 465, I arrived here because last week our network admins shut off passive FTP to the outside world for 80,000+ nodes on our network. The firewall requires active mode FTP on port 20. Now Firefox is literally useless for FTP. Coincidentally, the State of California only makes certain files available by FTP, and consequently I can no longer use Firefox at work. Yay.

If it matters to anyone, they are using Cisco Firewall Services Module 7600.

Updated

12 years ago
Flags: blocking1.9a1? → blocking1.9-
Is there any progress on that bug?

I see that bug 465 is also stuck :-(

P.S. Well, even IE has the feature. As well as KDE's Konqueror. Even Safari does it in some weird way. Ff/Mozilla & Opera are the only two who can't active FTP.
One reason a network admin might disallow passive ftp is because you never know (at ruleset generation time) what port it's going to use, so in order to allow it you have to allow RELATED traffic (IP Tables terminology) through on pretty much any port.  Thus you are relying absolutely on the RELATED bit to never get set when it shouldn't, which from a defense-in-depth perspective is rather suboptimal.  (This is of course somewhat paranoid, but where network administrators are concerned a bit of paranoia is sort of an occupational hazard.)

With active ftp, not only is the connection marked as RELATED by the connection tracking module, but it's _also_ on a known standard port.  (Yes, on the other hand, it's an incoming connection, rather than an outgoing one.  Not all network admins feel exactly the same way about these issues, obviously.)

Arguing the other side, simple firewalls sometimes allow all outgoing traffic regardless but don't do any connection tracking, in which case passive ftp is easier to support.  If I had to guess I would say this is probably the more common case.

So on any given network one or the other may be permitted, or both, or neither, depending on the firewall and local policy.

For the client software (e.g., Firefox), I can think of no compelling security reason *not* to support both, at least optionally.  The arguments against letting one or the other through a firewall have mostly to do with the possibility that for some reason something *other* than the intended client software might end up handling the client side of the connection; if the firewall lets the traffic through anyway, the client software may as well take advantage of that.  

What it's safe to implement (or allow) on the server side is another matter, but let the server software devs (or server admins) sort that out for themselves.

Comment 17

11 years ago
mass reassigning to nobody.
Assignee: dougt → nobody

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 17 years ago9 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.