Question: Requirements for FTP upload
2
gravatar for ja.garcia
26 days ago by
ja.garcia20
ja.garcia20 wrote:

Hi, I have been trying to configure different FTP clients to upload files to Galaxy. I work in an institution with firewall for outgoing and ingoing traffic, where most ports are closed. The purpose of this thread is to explain the problems I found while configuring it and asking whether I am missing something or making any wrong guess. It would be great if other users or administrators could provide a cleaner explanation.

I tried different configurations: - Passive mode with explicit FTP with TLS using port 21 - Active mode with implicit FTP with TLS using port 990 (after opening the outgoing port 990)

In both cases I was able to log in. However I was unable to list the directory contents. Theoretically our firewall can handle a passive connection in order to allow the required data ports established during the negotiation, however the usage of TLS seems to interfere with this configuration. The end of the log in Filezilla in passive mode is something like :

10:40:42    Command:    PBSZ 0
10:40:43    Response:   200 PBSZ 0 successful
10:40:43    Command:    PROT P
10:40:43    Response:   200 Protection set to Private
10:40:43    Status: Logged in
10:40:43    Status: Retrieving directory listing...
10:40:43    Command:    PWD
10:40:43    Response:   257 "/" is the current directory
10:40:43    Command:    TYPE I
10:40:43    Response:   200 Type set to I
10:40:43    Command:    PASV
10:40:43    Response:   227 Entering Passive Mode (129,114,60,60,118,192).
10:40:43    Command:    MLSD
10:41:03    Error:  Connection timed out after 20 seconds of inactivity
10:41:03    Error:  Failed to retrieve directory listing

The only solution I found is to open additional ports. This post (https://biostar.usegalaxy.org/p/24512/#245209) indicates that the PASV port range is from 30,000 to 30,100, however in the last example the server asks for the port 30400 (118*256+192) . Other threads suggests thatthe port range is from 30,000 to 40,000. These ports must be open for outgoing connections in passive mode, and for ingoing in active mode (although the port range for active mode should be configured in the client).

It is understandable that our TIC department is reluctant to allow traffic over such a large port range. So here are my questions:

  • What is exactly the port range for connecting to usegalaxy.org FTP server in passive mode?
  • Is there any other way to connect without opening such a large port range?

Thanks for your help.

firewall upload ftp • 96 views
ADD COMMENTlink modified 19 days ago • written 26 days ago by ja.garcia20
3
gravatar for Nate Coraor
26 days ago by
Nate Coraor3.1k
United States
Nate Coraor3.1k wrote:

Good catch, that port range was indeed a mistake on my part. The actual range is 30000-31000. I've corrected my post. Is that a small enough range to appease your security people? If not, one alternative would be to configure FileZilla to use a fixed port range for active FTP connections, allow that range through the firewall from our FTP servers, and use active mode.

ADD COMMENTlink written 26 days ago by Nate Coraor3.1k
0
gravatar for ja.garcia
25 days ago by
ja.garcia20
ja.garcia20 wrote:

Thanks for the correction Nate, I realized that later by reading some other posts.

Configuring Filezilla to allow specific ports in active mode seems a good a idea, thank you. However, I am not still sure about it. That will solve my problem, but doing the same will be a pain for other users in our institution with less computational background.

At least now I have all the information I need, I will talk with the IT department to decide what to do. Thanks a lot for your help.

ADD COMMENTlink written 25 days ago by ja.garcia20

Ok, let us know if you encounter additional issues. Unfortunately, the only workaround that I'm aware of is for us to disable encryption either fully or partially (which is not well supported) or provide an alternate FTP server that allows such.

That said, I'll look in to whether we can set up an sftp server as an alternative, which should alleviate most of these problems.

ADD REPLYlink written 19 days ago by Nate Coraor3.1k
0
gravatar for ja.garcia
19 days ago by
ja.garcia20
ja.garcia20 wrote:

Setting up an SFTP server would be great. In any case the IT department found reasonable to open the outgoing port range to your servers, so my problem is solved. ¬°Thanks again!

ADD COMMENTlink written 19 days ago by ja.garcia20
Please log in to add an answer.

Help
Access

Use of this site constitutes acceptance of our User Agreement and Privacy Policy.
Powered by Biostar version 16.09
Traffic: 98 users visited in the last hour