Client and server firewalled, passive mode not connecting

Ok here's the situation: a bunch of legal lossless audio files on a ftp server behind a firewall, requires passive ftp. My computer on a broadband connection at my new job behind a firewall, policy in place discouraging installation of unnecessary software.

Windows XP does not do passive FTP, IE Explorer will not connect to the ftp server in active or passive mode and after installing the windoze port of wget it looks like the firewall on my side is blocking the connection when the server tries to connect on a data port in the low 3000s.

FTP is working in active mode to other sites from my work computer, and to the FTP server in question from my home computer in passive mode (much simpler firewall administered by me, but over a 56k line).

This output from wget's debug mode is what led me to my educated guess of a diagnosis:

--19:56:50-- ftp://*username*:*password*@ftp.*server*.net:23/MMW%20SHN%20Download/mmw2001-04-20.shnf/*
(try: 2) => `ftp.*server*.net+23/MMW SHN Download/mmw2001-04-20.shnf/.listing'
Found ftp.*server*.net in host_name_addresses_map (003F67B0)
Connecting to ftp.*server*.net[205.***.***.***]:23... seconds 60.00, Winsock error: 0
connected.
Created socket 1896.
Releasing 003F67B0 (new refcount 1).
Logging in as *username* ... 220-Serv-U FTP Server v4.1 for WinSock ready...
220-Hey There. Welcome to the ftp server
220-Hope you enjoy your stay. You know the rules.
220-If you hammer, you are banned, if you tie up
220-a slot idling for hours, you are banned. I
220-think that is pretty simple.
220-
220-My email is f00b*r@yahoo.com if you need to
220 get in touch with me, feel free.

--> USER *username*

331 User name okay, need password.

--> PASS *password*

230 User logged in, proceed.
Logged in!
==> SYST ...
--> SYST

215 UNIX Type: L8
done. ==> PWD ...
--> PWD

257 "/d:/Server" is current directory.
done.
==> TYPE I ...
--> TYPE I

200 Type set to I.
done. changing working directory
Prepended initial PWD to relative path:
pwd: '/d:/Server'
old: 'MMW SHN Download/mmw2001-04-20.shnf'
new: '/d:/Server/MMW SHN Download/mmw2001-04-20.shnf'
==> CWD /d:/Server/MMW SHN Download/mmw2001-04-20.shnf ...
--> CWD /d:/Server/MMW SHN Download/mmw2001-04-20.shnf

250 Directory changed to /d:/Server/MMW SHN Download/mmw2001-04-20.shnf
done.
==> PASV ...
--> PASV

227 Entering Passive Mode (205,***,***,***,13,60)
seconds 60.00, Winsock error: 10060
Closing fd 1876
Closing fd 1896
couldn't connect to 205.***.***.***:3388: No such file or directory
Retrying.

Can someone tell me how to solve this problem? Any gurus out there who can isolate the problem from the debug info? Only the names have been changed to protect the innocent, <g>.


TIA,

Barton

In other words, the FTP server supports passive connections, but the firewall on the FTP server does not. You are stuck with getting active connections working on your home ftp server, or get a firewall that can support passive connections. What ftp server are you using? On some ftp servers, you can specify the passive connection to be on a certain range of ports. You can then enable those ports on your firewall just like you did with port 21.

Thanks for the reply, I appreciate it. Actually I did connect to the ftp server (which I hope I made clear is someone else's server) via passive mode from home. I just can't seem to connect from work which is where I have the bandwidth

I actually did some more testing at work and managed to login to a different server in passive mode via Internet Explorer. With wget I can login and change directories in passive mode but I cannot establish a data connection. With IE6 I enter the ftp server's address in the address bar with my username and pw prepended and it repeatedly pops up a dialog telling me it couldn't login with the user : pw (the correct user : pw, btw) and asking for the correct info.

Beyond that I hope it was clear that at work I am on a local area network which connects through a firewalled gateway. I'm thinking that the hitch is the combination of passive ftp, firewall rules and/or address translation... Unfortunately I don't have an especially clear idea of the LAN architecture, nor are my networking skills especially well developed.

Any other tips?

Barton

Ah! Sorry for misunderstanding the post. I thought the server was on your home computer

It does sound like your work firewall is blocking the outgoing passive connection. Does your work place have a proxy? Try forcing ftp through the proxy. You can do this by manually assigning proxy for FTP protocol in Tools->options->Connections-> Lan settings -> advanced.

What did you use at home to make the passive connection?

Change directory does not use the passive/active data channel. It uses only the control channel with which you have no problems.

get and put and list use the passive/active data channel.

Yeah it does proxy and I did take a stab at configuring wget to use an ftp proxy but the results weren't great so I went on testing some other aspects of the connection. Do your menu based instructions above refer to Internet Explorer settings?

When I tested from home I used wget with the --passive-ftp switch and it transferred data (at a whopping 4 kps) w/o a prob. At work I tested passive ftp on a different server - anonymous login on port 21 functioned on the other server.

So it seems like the specific case is passive ftp on the data channel to servers which require a password login and/or use a port other than 21.
I'll try changing IE's proxy setting to the IP addy our sysadmin gave me for the proxy and see if that changes anything. I beginning to suspect that the packets are being translated to the correct addresses but the firewall is blocking the ephemeral ports that the ftp server is telling my client to connect to... What do you all think?


Barton