Subject: Re: FTP not working in some cases?
To: Yasir Malik <ymalik@cs.stevens-tech.edu>
From: Steven M. Bellovin <smb@research.att.com>
List: port-i386
Date: 04/09/2004 10:28:13
In message <Pine.NEB.4.58.0404091002060.28514@pink-elephant.cs.stevens-tech.edu
>, Yasir Malik writes:
>> Is there a Checkpoint firewall in the path?  That can cause the
>> symptoms you noticed.  Sometimes, this can be bypassed by using a '-'
>> as the password.  I haven't tried this, but you might be able to
>> persuade sysinst to do that by using its 'shell' option and creating a
>> .netrc file.
>>
>> 		--Steve Bellovin, http://www.research.att.com/~smb
>
>Thank you for your reply.  We do not have a Checkpoint firewall.  We have
>a Pix firewall.  None of your solutions work.  This is really weird.  I
>thought about copying the distribution to my Windows partition and then
>mounting it in sysinst, bt it turns out that I can't even access
>releng.netbsd.org through Windows.  Is there someting wrong with the ftp
>server?

Can you get to the server manually, specifying a password of "-" (omit 
the quotes)?  As I indicated, I'm not sure that sysinst will honor a 
.netrc file.  (Hmm -- a quick test of 'ftp' with a URL argument 
suggests that it does *not* look at the .netrc file, and hence won't 
honor the "-" in sysinst.  I don't know if that's a bug in ftp or a 
conscious design decision.)

The problem is the long "230" messages put out by ftp.netbsd.org.  This 
confuses some (stupid) firewalls.  Using "-" as a password tells the 
server to omit the message.  Alternatively, there may be a PIX firewall 
setting to keep it happy, but it's often hard to persuade firewall 
administrators to make the change.



		--Steve Bellovin, http://www.research.att.com/~smb