> BUT: active FTP does not just send the data to the port that was in > the random port that was sent to the server... it addresses to the port > you sent, but it sends its data response FROM port 20. This means the > response looks like a totally unsolicited connection attempt from the > outside -- the firewall doesn't even have enough information to > determine which machine (if multiple) inside the firewall should be > receiving the data; since the server is sending the data stream on its > port 20 and there is no active connection for server:20 to ANY > client:???? Yes, I know. But it DOES work from inside my NAT network. I have no clue how. I'm sure that it is using active connections because this server cannot use passive mode. It might be a very clever firewall that does packet sniffing for "ftp PORT" commands. (?) Anyway, the problem is not with this computer, it was a counter-example. > Even if you could tell the firewall to let in connections on > the specified port, the NAT tables won't know what inside IP to > translate the inbound server port 20... > It does not need to. I can reconfigure the firewall to directly forward all incoming TCP connections from a specified port range to a given IP inside the internal network. But I do not even need to do that. The problem is with a computer that is NOT behind NAT. It is a single computer connected directly to the internet, but it has a firewall installed. So everything would be fine except one thing: I should tell ftplib which port(s) to open, and open those ports on my firewall. For example, I can open TCP ports between 50000 and 60000, and then tell ftplib to use ports between 50000 and 60000 in PORT and EPRT commands. How can I do that? If that is not possible, then what is the workaround? (Definitely I do not want to turn off the firewall completely on a production server.) > Passive mode turns this around. Yep, but this ftp server cannot use passive mode and I cannot change this.
And finally, if this cannot be done in ftplib, then I would like to suggest to add this method to Ftp objects. :-) Best, Laszlo -- http://mail.python.org/mailman/listinfo/python-list
