I'm trying to get FTP access on my computer. I'm using Mac OS X 10.4.7 and have started up the FTP access in the System Preferences. My LAN IP address is static and both ports 20 and 21 are forwarded to this IP address. The OS X firewall is off. When I try to connect to my FTP server using my local address everything works fine, yet I try to connect to my FTP server in the terminal using my WAN IP address I always get "ftp: connect: Operation timed out." It doesn't work in Safari either.

I disconnected my router and hooked up my computer directly to the cable modem and everything works fine, both my local and internet IP work. So it must be a problem with the router. I have a Belkin 4-way router.

Anybody got any ideas? I've spent a lot of time on Google looking for a solution, but they all say the same thing and none of them help. Any help would be appreciated.

If you really really need to get ftp working through a router, you will need to forward more ports in the router. Here's the definitive explanation.

But I'd strongly advise you not to use ftp, which is insecure, and switch to sftp (secure ftp), which is included with OS X, is secure, and only requires one port (22) to be forwarded in your router, and one port (22) to be open in your firewall.

Oh yeah, and you should turn that firewall on your computer back on.

Trevor

I could imagine your routers firewall drops the packets if you try to connect from the internal networks address on a forwarded port - it could be interpreted as forged packets.

Try if you can connect from outside of your network, maybe with dialup from another box not connected to the router.

It's like trevor said, ftp is a nightmare protocol to NAT and you want to use sftp anyway.

I wanted to see if FTP can even work before I try to get the other services to work (SFTP was having the same problems), and I remember FTP working before.

I think SvenW is right. I was able to connect outside the local network using the WAN IP and yet only the LAN IP works inside my network. Now that it works, I'll take everyone's advice and use SFTP. Thanks.

You say you are trying to test the FTP connection from inside your network using your Internet IP address? I'm not convinced that will work - I have FTP fully functional on my iMac but it never works if I try and connect from inside the same network using my Internet IP.

Regarding the issue of security and ports etc... Why not access FTP via a different port and not 21 (e.g 8080 or 2001). You can do this by setting the port forwarding in your router to forward incoming requests on the Inbound port of 2001 (or whatever port number you choose) to Private port 21 on your local machine.

That was sorted out already ...

And why? This will stop only the most basic attacks where someone tries to connect to 5 or 10 well known ports and nothing beyond that. Any full range port scan will detect the open port on 2001 and milliseconds later it will be identified as FTP. And if you want someone else to use that service, you would have to explain how to setup another port for FTP.

Security through obscurity is no good at all - in your case, I think you would feel secure because you use that "secret" port for FTPing, but this doesn't protect you more than a sheet of paper from a bullet.

And yes, this is true for other protocols as well - selecting ports other than the standard ones only makes sense for technical and/or convenience reasons, at least in my opinion.

Putting services on non-standard ports is a useful technique to reduce the pounding of botnet generated attacks.
It does not, as Sven correctly points out, help to protect against attackers who're after YOU in particular. Keeping your system patched and using good passwords does.

Although I do agree with Sven, I have had good experience on the net. I find that changing inbound ports stump the regular guys with port scanners not really knowing what they're doing.

If an experianced dude who knows what he's doing happens to come along he's either a) malicious or b) too good to care.

Really, I rely on the odds of someone incapable of or does not want to hack into my system coming along.

I think I'll just take a back seat and admit defeat on this one then....

"But I'd strongly advise you not to use ftp, which is insecure, and switch to sftp (secure ftp), which is included with OS X"

How do you set up SFTP in OS X server (10.4.7) I don't see it in Server Admin.
Jim

Basically, you just have to activate SSH on the server and you are done. SFTP is part of the OpenSSH suite of programs.

So I enable SSH (which I have done) and then forward port 22 via my router to my servers locally DHCP assigned IP address? Then I can connect to it from an FTP client (such as Transmit) using SFTP?
Thanks,
Jim

Ever see these before? Block WAN Request, Multicast Pass Through, IPSec Pass Through, PPTP Pass Through.

The only one would make what you need to work is: Block WAN Request DISABLE. Yet don't do it! This makes everything great about a router go to crap.

When I hosted WWW through my computers using IIS or Apache to check and make sure it working past the WAN I would need to IM or call geek friends and beg them to check my WAN IP or my www.insertnamehere.com and see if they get a test page. Same goes for this 80 incoming and your 21 incoming.

These guys mentioning SFTP are right if your using for your own use (at school and forgot to print that HW, go through SFTP and get it), but if you wanna do anything public, this is the way.

Reason is routers deny this Pass through is because spyware and malware would loop for F'in ever connecting to it self. You think 5-10 computers using your PC as a spam zombie is bad, imagine your own computer thinking it can use it self 100 times over cause it sees its self as the best connection! Looks WAN to it buts its just one step into WAN and everything else is LAN. You would get so many collisions TXT would take modem bps speed.

If you want your FTP public for friends (make an access list, or at least anonymous severely limited like a dropbox write only) then go back to how you had it and have a friend not in your LAN, or even better on a different service (you comcast, him SBC DSL) and try the connection. This ensures your connection is propagated correctly.

Cheers!

I am only going to be using this connection for myself. Anonymous connections are off and I only have one user (myself) setup with a good password.
So if I do what I posted above it will work better than FTP? Right now, for some reason I can not connect to the FTP server over WAN but LAN is OK, so the FTP server is working.
I have tried passive on and off, nothing.
Port scans come up with no open ports even though I know I left 21 open to forward to the server IP.
Try a port scan yourself, see what comes up, I am curious...
216.195.213.162
Jim

Well no matter if your password is abc or sdfjsdlfksjdfl;kjd#(*$&#$(*sdfjsldkfj its all cleartext. Why SFTP is a good measure. Have u tested the connection on a friends computer?

benthehen was the thread starter now your here. You a seperate person with the same issue or have two usernames? I'm FTP fluent but not well with SFTP (I use TFTP with Cisco IOS but not Secure FTP).

Nothing comes up.... I get PONG from your IP but nothing coming back in port scans....

Who is your ISP? What do they block? Have iChat???

No, different person, same problem.
Have you tried a port scan?
Jim

HEY BUSTER BROWN CHECK THIS OUT! Ahh crap i cant upload files here. Give me a AIM iChat or Yahoo SN

I allowed ping from my router just to see if everything was working. According to my ISP (Ctc communications) they are not blocking anything. They provide a T1 line for me so the IP is static too.
I even tried using a different FTP server called Rumpus. Interestingly when I had someone at Rumpus check they could connect and even uploaded a test file to a temporary user directory I created. Now, nothing. I will have to have them try again.
Right now I am at home trying it and I can't connect. Seems strange. But if SFTP is actually easier to connect I will forward port 22 over to my server. I have enable remote logging (SSH)
Jim

Look do u have anything i can IM u on? Im not going to play telegram on here. Im getting a User PW dialog on here and wish to help u. Im not taking my time out to upload this screenshot and something. Either give me some contact info or forget it.

Im getting an authentication dialog but cant go from there.

I thought it may be Cox communications blocking the FTP but that does not make sense either because I can connect to other FTP sites, my Cox ftp for example. I am using a 3Com "Office connect" router. Have a "virtual server' set up to forward port 21 to my servers local IP and even set up what they call "special applications" also using port 21. Then I allowed ports 3000-3008 access to the router just in case I may need to for additional users, still nothing. Any ideas?
Jim

You can e-mail me

"Im getting an authentication dialog but cant go from there."

Yeah, I get that too when I try to connect via the finder in OS X but even when I enter the correct info it does not connect. If I can not get a port scan than something is wrong. The fact that you did try to port scan and also came up with nothing makes me think the router is screwing up somehow.
Jim

Ok well I got a Name Password Dialog. I got things to do. I cant help u by playing pony express on here. Goodluck.