BUT: active FTP does not just send the data to the port that was in
the random port that was sent to the server... it addresses to the port
you sent, but it sends its data response FROM port 20. This means the
response looks like a totally unsolicited connection attempt from the
outside -- the firewall doesn't even have enough information to
determine which machine (if multiple) inside the firewall should be
receiving the data; since the server is sending the data stream on its
port 20 and there is no active connection for server:20 to ANY
client:????
Yes, I know. But it DOES work from inside my NAT network. I have no clue
how. I'm sure that it is using active connections because this server
cannot use passive mode. It might be a very clever firewall that does
packet sniffing for "ftp PORT" commands. (?) Anyway, the problem is not
with this computer, it was a counter-example.
Even if you could tell the firewall to let in connections on
the specified port, the NAT tables won't know what inside IP to
translate the inbound server port 20...
It does not need to. I can reconfigure the firewall to directly forward
all incoming TCP connections from a specified port range to a given IP
inside the internal network. But I do not even need to do that. The
problem is with a computer that is NOT behind NAT. It is a single
computer connected directly to the internet, but it has a firewall
installed. So everything would be fine except one thing: I should tell
ftplib which port(s) to open, and open those ports on my firewall. For
example, I can open TCP ports between 50000 and 60000, and then tell
ftplib to use ports between 50000 and 60000 in PORT and EPRT commands.
How can I do that? If that is not possible, then what is the workaround?
(Definitely I do not want to turn off the firewall completely on a
production server.)
Passive mode turns this around.
Yep, but this ftp server cannot use passive mode and I cannot change this.
And finally, if this cannot be done in ftplib, then I would like to
suggest to add this method to Ftp objects. :-)
Best,
Laszlo