Re: Indy 9: 500 Illegal PORT range rejected.

Giganews Newsgroups
Subject: Re: Indy 9: 500 Illegal PORT range rejected.
Posted by:  J. Peter Mugaas (oma002…@mail.wvnet.edu)
Date: Sat, 11 Sep 2004

On Wed, 8 Sep 2004 13:48:51 +0200, Gerbert Koppelman wrote:

> Hello,
>
> I have a problem when connected to a ftp server sometimes the follwing error
> occurs:
>
> 500 Illegal PORT range rejected.
>
> Here are the commads given and returned (->> = to ftp server):
>
> ->> PORT 10,0,0,18,4,6
> <<- 500 Illegal PORT range rejected.
>
> Sometimes it works good as seen below:
>
> ->> PORT 10,0,0,10,4,198
> <<- 200 PORT command successful.
>
> The server can not communicate in passive mode.
> This are the login commands:
> <<- 220 someftpserver FTP server (Version 6.00LS) ready.
> ->> USER xxx
> <<- 331 Password required for acmaa.
> ->> PASS xxx
> <<- 230 User xxx logged in, access restrictions apply.
> ->> TYPE A
> <<- 200 Type set to A.
> ->> SYST
> <<- 215 UNIX Type: L8 Version: BSD-199506
> ->> CWD /data/
> <<- 250 CWD command successful.
> ->> PORT 10,0,0,10,4,198
> <<- 200 PORT command successful.
>
> What can be wrong. And what can I do to solve the problem?

I'm not sure.  I did notice one thing though.  The IP address being
communicated in the PORT command is 10.0.0.10.  That IP address is reserved
for an internal network.  See:http://www.faqs.org/rfcs/rfc1918.html .  Is
your server also on the local network?  If it is not, IP address 10.0.0.10
will NOT work.  Most servers require that the PORT command communicate the
same IP address as the control connection and some servers might reject
internal IP addresses (they wouldn't work anyway because most Internet
routers will drop packets meant for Internal networks).

If you are using SSL with FTP, your problem is that the NAT can not detect
an IP address in a PORT command and thus, it will NOT do any special fixups
so PORT commands can work.  If you use PORT in such a situation, there's
two things you can do in Indy 10 that may work.

1) You can use the CCC command by setting UseCCC to true to make the
connection unencrypted.  That will only work if the server supports the CCC
command and the NAT can detect the address afterwards (some NAT's do not do
that so your mileage will vary).  Another disadvantage is that you might
NOT be willing to give up encryption on the control channel.

2) You can use port forwarding on the NAT as Michael J. Leaver described.
You have to set the ExternalIP address property to the Internet Address of
your NAT.

If you are using the SocksInfo object, you might be able to use port
transfers in Indy 10 if your socks proxy supports a "bind" method.

You may also want to check your proxy configuration.

In spite of everything, you might have NO choice but to use PASV transfers.

HTH.

Replies

None

In response to

Indy 9: 500 Illegal PORT range rejected. posted by Gerbert Koppelman on Wed, 8 Sep 2004