Bug 44806

Summary: FTP port command fails with links
Product: [Retired] Red Hat Linux Reporter: Henri Schlereth <henris>
Component: linksAssignee: Bernhard Rosenkraenzer <bero>
Status: CLOSED DEFERRED QA Contact: David Lawrence <dkl>
Severity: low Docs Contact:
Priority: low    
Version: 7.1   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-06-27 02:23:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Description Flags
ipchains config file
enclosed rc.firewall none

Description Henri Schlereth 2001-06-17 17:34:03 UTC
Description of Problem:
After upgrading to RH7.1 (on firewall) my inpchains scripts that used to
work with
RH7.0 now fail links, lynx and wget with any site ftp://blah.blah. Netscape
X and Windows works, ftp and ncftp work as well.
Links,lynx and wget work on the firewall itself but behind the firewall. 

These programs work within the internal netork.

I suspect it is because ip_masq_ftp is gone. I havent converted to iptables
yet, but it
looks like I will have to much sooner than planned.

How Reproducible:
Use the attached ipchains script on a test machine and try to access 
ftp://ftp.redhat.de via links or lynx or do a wget on an ftp site (known to

Steps to Reproduce:

Actual Results:
FTP port command failed (links)
Unable to access document (lynx)
wget (invalid port)

Expected Results:
get to sites and/or download

Additional Information:

Comment 1 Henri Schlereth 2001-06-17 17:35:01 UTC
Created attachment 21206 [details]
ipchains config file

Comment 2 Michael Schwendt 2001-06-18 15:58:31 UTC
With the 2.4 kernel, ip_masq_ftp has been renamed. HTH.

Comment 3 Michael Schwendt 2001-06-18 19:13:08 UTC
Sorry, you are right.

I've mixed up the "lsmod" config of a RHL 7.1 machine running the 2.2.19 kernel
and my workstation running the 2.4 kernel and iptables.

Your ipchains script is not affected, though. It's just that the protocol
specific masquerading support is not available.

Comment 4 Mike A. Harris 2001-06-19 01:09:47 UTC
IP masquerade helpers for ipchains are not available in the 2.4 kernel.
If you need to use any of the helper programs, you will need to switch
to iptables and use ftp conntracking, et al.

Alternative workaround:  Use passive mode FTP in all software that supports
it.  Consult the software documentation for each program that fails to
determine if it supports passive mode FTP or not.

Comment 5 Henri Schlereth 2001-06-19 02:06:19 UTC
Since I am not ready yet to switch to iptables your suggestion did the trick
with only one
exception. Links has no documentation, no man page to set passive mode.

Comment 6 Henri Schlereth 2001-06-27 01:48:38 UTC
I am re-opening this as a feature enhancement against links. I have installed
and configured
iptables and I still get a port command failed with links. While I am still
researching to see
if I did anything wrong , I was informed by the maintainer that links doesnt do
passive ftp. The only solution available is to not use links (e.g
ftp://ftp.isc.org) or come
up with some sort of proxy method to regain full functionality

Comment 7 Mike A. Harris 2001-06-27 02:22:57 UTC
links is not a program created here, and so it is unlikely we would add
support for passive mode FTP to it, especially when there are other tools
that work through passive ftp.  It isn't my package however so not my call.
When changing packages, be sure to also assign to the new component owner
as well.

Take care,

Comment 8 Bernhard Rosenkraenzer 2001-06-27 10:25:12 UTC
I've passed this feature request on to the links mailing list - maybe someone 
has the time to add this before I do.

Comment 9 Henri Schlereth 2001-06-29 06:01:18 UTC
I replaced a minimal iptables with non-passive ftp support enabled. I switched
lynx and wget back to non-passive mode and they work. Astonishingly enough
links still gets a port command failed even with iptables. I am enclosing as an
attachment my working rc.firewall. You may want to pass this on to the links
people.  I was
trying to make this work because I thought links was going to replace lynx.
Evidently not
ready for primetime.

Comment 10 Henri Schlereth 2001-06-29 06:02:25 UTC
Created attachment 22166 [details]
enclosed rc.firewall