FTP Active/Passive not working like I expect

Question

So I've got an interesting issue at the moment. I'm attempting to use curl (7.15.5 on CentOS) to retrieve a file from a remote FTP server. Our client changed something last weekend, because it worked on Friday and doesn't now.

I can FTP in using the CLI client, and get a directory listing just fine, although I have to issue "passive" to turn passive mode off. If I don't, I get

421 Service not available, remote server has closed connection
Passive mode refused.  Turning off passive mode.
No control connection for command: Transport endpoint is not connected
ftp>

Alright. Obviously, passive mode needs to be disabled. I've read the man page a few times and I understand that I need to use -P to specify "active" mode, however from the documentation it seems like this will open a port on the client (my) machine for the data to stream to. Since it's behind a firewall, this won't work.

This tells me that I misunderstand something, because the CLI client works in active mode.

Help me serverfault-kenobi, you're my only hope.

score 1 · Answer 1 · answered Jun 02 '09 at 15:25

1

This link explains Active vs Passive very well.

answered Jun 02 '09 at 15:25

Kyle Brandt

82,107
71
302
444

score 1 · Accepted Answer · edited Jul 28 '16 at 19:47

1

I got it!

The key is to use -P, but you've got to use the "obvious" choice, since you can't open another port and have it connect in.

To quote the documentation:

- make curl pick the same IP address that is already used for the control connection

So the curl command

curl -u username:password -P - -o output.file ftp://whatever/source.file

The -P - was the important part. Essentially it makes curl use the only available connection (the command connection) for transferring data.

Hurray!

edited Jul 28 '16 at 19:47

Colin D Bennett

105
4

answered Jun 02 '09 at 15:29

Matt Simmons

20,218
10
67
114

Without a sniffer to validate the data, I can't be sure, but I think that the "-P" option is only turning passive mode off, just like you said you did in your client. Active mode doesn't use the command connection for transferring data, rather it tells the server to initiate the data connection. The second "-" in "-P -" tells the curl client which IP address to send to the server so the server can initiate the connection. Word of warning - when the client firewall policy changes in the future, you may need to start using PASSIVE mode again. – pcapademic Jun 02 '09 at 21:11

score 0 · Answer 3 · answered Oct 22 '14 at 12:38

0

For me - to make it work - I also had to add --disable-eprt as well:

curl --disable-eprt -u username:password -P - ftp://whatever/source.file

answered Oct 22 '14 at 12:38

Nik

101
1

FTP Active/Passive not working like I expect

3 Answers3