Passive FTP and the Leopard firewall

Similar Messages

• FTP and the virus that is connecting outside the network

  I have a problem that has been talked about on this forum, but without a resolution I have found yet. All the posts are unanswered, which tells me that either the person figured out the problem, or it was never resolved and they went on to another solution.
  I have no problem connecting on out 10.x.x.x network, however, on the outside, many problems. The server is on the DMZ, installed in a very large network of switches and doodads. However, this server does have a direct connection to the outside world via the DMZ. It is running OSX server 10.4.7 and it has no connectivity issues with port 80 outside whatsoever. On FTP, big problems outside the the network however. I have gone through the firewall and enabled every possible thing on the any and 192(?) services, at least as it might relate to FTP. That includes, ftp, secure ftp, UDP/TCP in out.. All that jazz.
  On the client side I have used Fetch 5, Transmit (latest version), and of course Terminal. All with similar effects. I can login, it gives me the welcome dialogs, when I connect, and when I finally login. The server seems very responsive. As soon as I initiate 'ls', it locks up. In transit is comes back that the connection timed out and died. In fetch it tells me that there is a firewall problem. As soon as I disable passive mode on the client side it just hangs. When I use terminal I get this:
  Remote system type is UNIX.
  Using binary mode to transfer files.
  ftp> list
  ?Invalid command.
  ftp> ls
  502 'EPSV': command not understood.
  227 Entering Passive Mode (209,130,203,108,199,99)
  200 PORT command successful.
  Then it just hangs until it says:
  421 Service not available, remote server timed out. Connection closed
  I'm open to any suggestions. What could it be that's causing such a problem. I can't imaging it's firewall related, but maybe I forgot to free some port.
  By the way, non of the other servers have any problems with FTP access. This includes 1 xserve, and 10 mac mini's that are functioning as minor servers (quite well i might add, in a controlled room the temps are nice and cool and they are very reliable).
  This server is also on a G4 mac mini. It is backed up once a week and scheduled to reboot every week. Don't ask me why, but it seems slower if you don't do that once a week, maybe a scripts thing. Dunno.
  I know this has been a LONG post, but I appreciate anyone that has read this far, and hope you have a suggestion.
  Thanks

  Nothing? I was kinda hoping for some sort of lead at least.

• Display problems after installing 10.5.2 and the leopard graphics update

  Shortly after installing the leopard graphics update, my display started exhibiting problems.
  The next day, the powerbook wouldn't even boot, just leaving me at a blue screen.
  I tried verifying permissions and verifying disk, reinstalling leopard and eventually did a fresh install of Tiger, which boots, but crashes frequently and has graphics corruption as visible in this screenshot:
  http://pics.livejournal.com/dorukai/pic/000fw0hw
  The same corruption is visible on a second monitor if I connect one.
  The timing (being right after installing the graphics update) suggests that the update somehow caused this problem (flashing the video card firmware maybe?) but any ideas at all are very welcome at this point!
  Unfortunately after installing Tiger I kept getting updates, and one has broken the ability to boot normally, I can only boot in safe mode

  I have the same problem. It happened right after I installed the graphics update. When the computer restarted, my screen went crazy. I couldn't see anything, just a screen full of horizontal lines. After restarting a couple of times it seemed to go away, but it has begun to happen again recently. although not as bad yet. I am not saying it's not a logic board issue, but it does seem funny that more than one person is experiencing the same type of problem after the graphics update. I guess it's time to take a trip to the apple store.

• Opening up the Leopard firewall seems to have done the trick.. go figure.

  I've been a successful iChat video user for a long time. Yeah, I set the bandwidth limit to 500Kbps to 1Mbps (depending on my iChat partner broadband bandwidth), set the server port to 443, set QT streaming to 1.5, etc.. But then why did iChat video stop working? I took DefCom1's advice and set the System Preferences/Security/Firewall and allowed iChat as an "allowed incoming connection".
  Well, it works again. Hmmm.

  Hi John,
  Thanks for your suggestions. Just so you know, I'm not a "console & terminal" guy. I'm willing to try any of your suggestions, but you're going to have to walk me thru...
  Opened console and there seems to be a constant stream of "cupsd" errors. Every 10sec actually.
  Here's the system log entry:
  "Dec 28 09:10:46 MacPro com.apple.launchd[1] (org.cups.cupsd[86732]): Job appears to have crashed: Segmentation fault
  Dec 28 09:10:46 MacPro com.apple.launchd[1] (org.cups.cupsd): Throttling respawn: Will start in 10 seconds
  Dec 28 09:10:46 MacPro com.apple.ReportCrash.Root[86731]: 2010-12-28 09:10:46.278 ReportCrash[86731:2f03] Saved crash report for cupsd[86732] version ??? (???) to /Library/Logs/DiagnosticReports/cupsd2010-12-28-091046localhost.crash"
  If you'd like to see the entire Diagnostic report, let me know.
  What would you suggest now?

• Quicktime streaming and the Leopard Guest Account

  If I set the account to be managed it doesn't work. I cannot access QuickTime streams using Leopard's built in Guest account. If I set the the streaming transport to http I get "403 forbidden", if I set it to udp I get "-3285 Disconnected". Anyone know how to fix this? I do not have the "Website Restrictions" turned on for this account. That is to say, I have the the controls enabled to block specific applications, but I set it to "Allow unrestricted access to websites"
  (on this point, you can't NOT have the parentalcontrols proxy running for some, infuriating, reason. If you want to manage which Apps a given account access to, the parentalcontrols proxy is enabled, and cannot be bypassed, even if select not to filter web content)

  I believe I have partially fixed the issue.
  Disabling Parental Controls in the Guest account when logged into the Guest account does nothing, despite the prompt for an admin username and password. One must log into an admin account directly to turn them off via the Accounts control panel.
  Turning Parental Controls off allows us to once again view streaming movies via the Quicktime plug-in in a webpage. Hooray!
  However, Parental Controls remains problem, so it behooves Apple to figure out why it is interfering with basic functionality like this. Another issue turning off Parental Controls solved is an issue with Adobe's Flash plug-in in the Panaorama web site, a language learning textbook. With Parental Controls on, the voice recording functionality via Flash is broken, too.

• Apple TV and the 10.5.1 firewall

  After updating to 10.5.1 I received an error message in iTunes when trying to update my Apple TV. The error message said my firewall software needed to allow communication over port ####. Turning the built in firewall off fixes the error message and allows the Apple TV to sync.
  What "application" allows the Apple TV to talk to iTunes? I tried allowing iTunes but that doesn't work. If it were Tiger I'd configure the firewall to allow communication over the port the error message in iTunes told me to. But I don't see a way to do so in Leopard.
  So for now the Leopard firewall is useless since I have to turn it off.
  Message was edited by: Host

  Barefootman wrote:
  Mate, my iTunes was not set to share, so, I enabled it. However, it made no difference. Firewall needs to be turned off for syncing to happen. Bugger!
  I stumbled on this unfortunate circumstance this morning. My Apple TV was working as usual last night prior to the 10.5.1 upgrade (the local Firewall was switched on and set to block external connections); tried to watch an item this morning and although the library seemed visible in the listing of sources; selecting it had no effect despite the fact the Apple TV seemed to have a good go at trying to connect.
  Whilst this is happening the Apple TV does not show up in iTunes.
  I tried rebooting the Apple TV, closed and restarted iTunes, checked the iTunes settings before finally turning off the Leopard Firewall. The entry in the Firewall log is -:
  Nov 16 10:10:02 -imac Firewall[40]: Deny iTunes connecting from 192.168.1.64:49163 uid = 0 proto=6
  I have no need of the local Firewall in the home setting as I am behind an edge Firewall, it would be a good idea for this to work a little better though!

• IPhoto 08 and Leopard Firewall not compatible

  Since I turned on the Leopard Firewall in the mode where it automatically add applications that need access iPhoto has been asking for permission to accept incoming Internet connections.
  Every time it does this I say 'Allow' and enter the Admin password, but it does not seem to take as this comes up every time I start iPhoto.
  iPhoto is listed in the Firewall with 'Allow incoming connections', but it still asks every time.
  Clearly a bug that needs sorting out.

  Ian:
  I've set my firewall to the 3rd option, "Set access for specific services and application". iPhoto is not listed in the list, only some applications that I want to block incoming connections for. No problems with that setup.
  Happy Holidays
  TIP: For insurance against the iPhoto database corruption that many users have experienced I recommend making a backup copy of the Library6.iPhoto database file and keep it current. If problems crop up where iPhoto suddenly can't see any photos or thinks there are no photos in the library, replacing the working Library6.iPhoto file with the backup will often get the library back. By keeping it current I mean backup after each import and/or any serious editing or work on books, slideshows, calendars, cards, etc. That insures that if a problem pops up and you do need to replace the database file, you'll retain all those efforts. It doesn't take long to make the backup and it's good insurance.
  I've created an Automator workflow application (requires Tiger), iPhoto dB File Backup, that will copy the selected Library6.iPhoto file from your iPhoto Library folder to the Pictures folder, replacing any previous version of it. It's compatible with iPhoto 08 libraries and Leopard. iPhoto does not have to be closed to run the application, just idle. You can download it at Toad's Cellar. Be sure to read the Read Me pdf file.

• Active and Passive FTP

  Hi
  I want to setup an Passive FTP and an Active proxy service in Oracle Service Bus 10.3. What is the best way of doing this?
  Regards

  see support note 860423.1
  Oracle Service Bus FTP transport is implemented to use passive mode in proxy services (inbound) and active mode in business services (outbound).
  This behavior can be changed and OSB can be forced to use passive mode for both inbound and outbound FTP requests by applying a patch.

• WEIRD TCP requests in Leopard Firewall Log

  I decided to double check my security today and enabled the Leopard firewall to block all connections and I enabled stealth mode. I then took a look at the log, and I am seeing a lot of Stealth Mode connection attempt to TCP MY.IP:PORT from XX.XX.XXX.XXX. I traced one of the IPs and its coming from ANTIGUA AND BARBUDA, (according to http://remote.12dt.com/lookup.php). Should I be worried?
  Edit: Oh yeah, I also use NAT to forward this port in my Time Machine. I'm thinking it has more to do with it being forwarded. I also checked some of the other IPs and many are form the US as well, it was luck (or unluck) that the first one I checked was from a foreign country.
  null

  It has to do with the Transmission.app library. It uses the system to connect.

• Bit Confused About Leopard Firewall

  Hey ya'll!
  I'm a little confused about what's going on with the Leopard firewall. It seemed that before, you could choose an application, and which ports you wanted to associate with it, via the System Preferences > Sharing > Firewall tab. Now, they went and moved it, and you can only choose the app, and whether it can receive incoming connections. OK, fine. So let's see what ports are open:
  Thee-MacBook:~ rick$ sudo ipfw list
  Password:
  33300 deny icmp from any to me in icmptypes 8
  65535 allow ip from any to any
  Huh? How come I'm only seeing two rules here?
  My original concern was for SoulseeX, and whether the required range of ports were open. While I can search and download, others have problems downloading from me, and I cannot directly connect to others, and other weirdness. So I decided to start checking things out.
  I do have SoulseeX listed in the Firewall tab, and set to receive incoming connections. But when I used this site <http://closer.s11.xrea.com/etc/port_scan.php> to test port 2234, it returned "failed".
  In short, here's what I'm wondering:
  Is the Firewall tab in System Preferences using ipfw?
  By setting an app in the Firewall tab in System Preferences, is the entire range of ports the app wants, in SoulseeX' case, 2234, 2235, 2236, 2237, 2238, 2239, and 2240, made available?
  How can I see what rules are being used, what ports are open?
  Will writing (a couple of) my own rules to ipfw screw up the other settings in the Firewall tab? I would, if possible, like to keeps things simple, and not have to rewrite all the rules by hand. Besides, I'm not exactly an expert!
  TIA!

  Leopard's application firewall is not a port firewall. I'm not sure where you would be able to see the actual port numbers that an application has opened, but your failures may be due to the ports being stealthed. Theipfw firewall is still there if you want to use it - the new firewall won't overrule it.

• NBAR discovery passive ftp

  Hi guys,
  I am trying to shape all ftp traffic on a 3700 router connecting to a LAN.
  so F0/0 is the WAN and F0/1 is the LAN port.
  I have tried to use NBAR to shape http or any traffic, all working fine.
  however, it seems like I am having problems dealing with passive ftp traffic.
  the following is part of the configuration I have :
  class-map match-any FTP
  match protocol ftp
  policy-map FTP
  class FTP
  shape average 400000
  int f0/1
  service-policy output FTP
  ip nbar protocol-discovery
  end
  wr
  I am using an old version ios 12.3(22) on this router, I am wonderring if this ios's nbar supports passive ftp discovery or not.
  thanks.

  Hi,
  Have a look at this link
  http://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#passiveftp
  You may need to an access list to define the ftp-passive type traffic and apply the access list to your class map
  Regards
  Alex

• ITunes sharing - using AirTunes and older Mac (Firewall)

  iTunes lives on my 27" iMac and I would like share the library out to home computers. I plan to have an older iMac G4 publicly accessible so visitors can control the music on the home stereo. I can access iTunes via the iMac G4, I can get to my main library without problem. However, when I try to connect to my Airport Express Air Tunes I get a firewall issue. Specifically, the G4 gives me a message to change my firewall settings. The help information for itunes with Mac OSX Firewall tells me to click sharing ->Firewall ->iTunes Music Sharing ->Advanced -> deselect "Block UDP traffic." I have done this on the G4 firewall and the 27" firewall isn't even turned on. However, I am still not having any luck. Any ideas? FWIW, all software and OS are up to date.
  My wife's MacBook Pro can connect to the AE Air Tunes.
  Message was edited by: K J

  Did you ever solve your problem? I just got a macbook with airport extreme card and then got an airport express mainly to play itunes through a stereo in another room. The macbook does this with no problem. However, I wanted to use an older powerbook G4 (867Mhz) with an airport (not airport extreme) card to run airtunes. The G4 gave me the same incorrect firewall warning even after I've changed the settings. Even with the firewall off, it only plays for a few seconds, then cuts out. I'm running 10.4.11 on the G4 and 10.6.2 on the macbook. I'm beginning to think the airport card just can't handle the bandwidth, even after I narrowed the multicast to to 1mbps.

• I have Dreamweaver CS5.5 and the FTP will not work. Any Ideas?

  Hello anyone out there. I just got off the phone with Adobe and they no longer support the product.
  I keep getting this message:
  Toggling the "use Passive FTP" checkbox may help you establish a connection.
  -Select or de-delect the checkbox and click Test to try again.
  _If you are connecting to an IPv6 enabled server, please select the "Use IPv6 transfer mode" checkbox in the Advanced site definition dialog.
  If the problem persists, check your network settings, including hte local firewall settings on your computer, or consult your network administrator.
  I cannot connect to the server and I have checked everything with Godaddy and it is fine. I have checked with Apple and it is all fine and the cache is empty.
  Any ideas?
  Suzwagner

  I'm guessing your site is not properly defined.  See screenshots below from Site > Manage Sites.
  Servers: Root Directory is whatever your hosting provider (GoDaddy) told you to use.  This varies by web host.  The most commonly used ones are html_docs, public_html or www.
  Click the TEST button.  If you're connected, Save and exit this panel.  If you can't connect, click More Options:
  Nancy O.

• Lost website and ftp access in Leopard

  After one of the recent security updates, I lost access to my website and I no longer have ftp access to my computer. I have a mac mini in my office that I host a company website on (with a static IP address). I also access my office files using the Fetch FTP program. I can no longer access either one. I can ping the computer over the internet and get no packet loss. Nothing hads changed on the router. I can access other computers in the office, only having a problem with the mac mini.

  Your problem doesn't look like a technical one. It's more a problem of practices in your organizations.
  Michals suggestion with the identity-firewall is a very good choice if you still want to keep complete control over the traffic that is allowed through your firewall. But your post sounds a little bit that you would like to delegate the work.
  For that, an FTP-proxy in the DMZ could be a solution. This proxy is allowed to access the internet with FTP on your firewall. And you can delegate to administration of that proxy to the desktop-crew which are probably the admins that know best who needs FTP-access and who doesn't.
  Don't stop after you've improved your network! Improve the world by lending money to the working poor:
  http://www.kiva.org/invitedby/karsteni

• CSS and Extended Passive FTP problem.

  Hi everyone.
  I'm having a problem setting up a load balanced cluster of FTP servers behind a CSS 11506.
  I can FTP into the cluster fine. I am redirected to one of the machines in a round robin fashion and can log in. The problem arises on mac's where typing in an ls command returns this:
  ftp> ls
  229 Entering Extended Passive Mode (|||32999|)
  200 EPRT command successful
  421 Service not available, remote server timed out. Connection closed
  Now, if I type in the EPSV command and disable Extended Passive Mode prior to connecting to it, it works fine.
  Also, connecting to any of the servers directly with epsv enabled works fine as well.
  We have over 800k hits per month and telling everyone to disable epsv will be a problem. Is there a way to enable extended passive mode through the css?
  Here is my config:
  Group: ftpServers1 - Active (198.202.122.181 Not Redundant)
  Session Redundancy: Disabled
  Last Clearing of Stats Counters: 03/20/2007 14:28:25
  Associated ACLs: NONE
  Source Services:
  DNS
  Name: Hits: State: Load: Trans: Keepalive: Conn:
  rem_ftp1 19857 Alive 44 6 FTP 0
  rem_ftp2 38175 Alive 87 0 FTP 0
  Destination Services:
  NONE
  Group Service Total Counters:
  Hits/Frames/Bytes: 58032/58339/4277264
  Connections Total/Current: 25/0
  FTP Control Total/Current: 0/0
  CSS11506# show rule pdb ftp-rule1
  Name: ftp-rule1 Owner: pdb
  State: Active Type: FTP
  Balance: Round Robin Failover: N/A
  Persistence: Enabled Param-Bypass: Disabled
  Session Redundancy: Disabled
  IP Redundancy: Not Redundant
  L3: 198.202.122.181
  L4: TCP/21
  Url:
  Redirect: ""
  TCP RST client if service unreachable: Disabled
  Rule Services & Weights:
  1: rem_ftp1-Alive, S-1
  2: rem_ftp2-Alive, S-1
  Thanks
  Boki

  EPSV is not supported.
  The only workaround available to load balance passive ftp servers is to use "PASV" command instead of "EPSV" on clients.
  Syed Iftekhar Ahmed