>I don't consider the current behaviour a `bug', per se.

i would.

>If a site has a firewall that doesn't support `passive', their
>ftp server shouldn't respond with a positive response code to
>the effect of ``I support passive, and here's the data...''.
>Their ftp server should return a ``passive not supported'' code.

imho, if i have an ftp server behind a firewall such that passive ftp
requests won't work, i'm not really sure i should have to reconfigure
the ftp server.  i can easily imagine cases where that wasn't even
possible.

lemme see if i understand how passive works.  the client says "pasv"
and the server responds with "227 entering passive mode #,#,#,#,#,#".
then the client connects back to the server at that port.  which it
then fails to do (presumably on account of inbound connections to
"random" ports being filtered?).  imho, the client should now try to
fall back to active mode (unles it has been *told* to use passive mode
or is trying to fall back to passive mode *from* active mode).

can't the client just issue an abor at that point and try an active
connection?

>Otherwise, how do you determine that you have to fallback to active?
>A timeout probably won't suffice, since if there's a timeout chances
>are that other factors (other than a borken firewall) may be
>responsible, and trying active wouldn't achieve anything anyway.

it may achieve something and you may as well try.  if the tcp connect
times out (which you have to try in the first place), you might as
well fall back at that point since you don't have to wait as long.

besides, you already know it's not an ip level issue, since you can
establish a tcp connection in the first place.  it might just have to
do with filtering.  and i'm personally much more likely to account for
active ftp in my packet filter configuration than i am to expect that
the ftpd can be told to only do passive ftp.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."