Subject: Re: requires dash?
To: Quentin Garnier <>
From: Courtney R. Spencer <>
List: netbsd-users
Date: 08/22/2005 15:36:13
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon Aug 22, 2005 at 09:19:30PM +0200, Quentin Garnier wrote:
> It's not about the password, you have firewall issues.
> I've seen that issue happen to a fellow developer slightly less than
> two years ago.  The packet you're expecting at this point is as large
> as it can be, and apparently some stateful packet filters (that
> understand FTP) are confused by that packet.
> In that story, it appeared that some version of the Checkpoint firewall
> actually expected TCP packets to be aligned with end of lines, which was
> not the case with the motd of the time, for two bytes.  That is, making
> the motd file two bytes larger (I suggested increasing the length of the
> fork at the time) made the connection get through.
> I don't remember if admins@ did something about it at the time, and I
> guess the motd has changed by now, but I really think you're experiencing
> a similar issue.
> It might also be related to PPPoE and badly negociated MSS.
> By the way, the 421 message you get comes from the FTP client, not the
> server.

Yes, you are quite right that this must be a firewall issue at this
location.  I telnetted from other hosts that were not behind a firewall
to and noticed another ( or continuing ) packet sent=20
after "230" from the netbsd server on those systems.

On the system that is having problems, I only see my ack being sent
after "230".  When using "-", I'm able to work around because the
full message is not being sent and thus makes the firewall happy
about the connection.

Thanks for the info.

Courtney R. Spencer

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.1 (NetBSD)