On Thu, Oct 10, 2024 at 8:43 AM Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > On Wed, 2024-10-09 at 15:03 +0100, Will McDonald wrote: > > If it's definitely FTPS (as opposed to SSH-based SFTP) it looks like > > that needs ports 990 and 989. > > > > https://en.wikipedia.org/wiki/FTPS > > The Filezilla configuration is FTP protocol, explicit FTP over TLS. > > > You've already mostly discounted tethering as a cause. So it's > > probably either firewall or potential certificate-related. Does the > > working system have anything additional configured in terms of > > Certificate Authority? Compare / contrast /etc/pki/ca-trust/ between > > the systems. > > I'm still highly suspicious of the tethering (perhaps there's some > peculiar NAT in the phone), even if it does work on another PC. > > At the moment I'm playing with just one PC. Either plugging it's > ethernet into a router (which does work), or disconnecting and using > USB tethering (which only partially works). > > I'll have a look at the other PC on another email. > > > Compare the output of `firewall-cmd --list-all` between the hosts. > > > > You haven't said what error Filezilla gives when it fails to work. > > Ooops, forgot that... Bowdlerised connection addresses used below: > > Firstly, a working example of normal ethernet connection on the same PC > to the remote FTP server: > > Upon starting a connection, I'm immediately shown a pop-up window about > the SSL certificate, about it being unknown, to authorise it now (and > optionally forever). Since I haven't clicked the remember for the > future option, I always get prompted. > > Status: Resolving address of example.com > Status: Connecting to 93.184.215.14:21... > Status: Connection established, waiting for welcome message... > Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- > Response: 220-You are user number 2 of 100 allowed. > Response: 220-Local time is now 22:08. Server port: 21. > Response: 220-This is a private system - No anonymous login > Response: 220-IPv6 connections are also welcome on this server. > Response: 220 You will be disconnected after 15 minutes of inactivity. > Command: AUTH TLS > Response: 234 AUTH TLS OK. > Status: Initializing TLS... > Status: Verifying certificate... > Command: USER example > Status: TLS/SSL connection established. > Response: 331 User example OK. Password required > Command: PASS ************************************** > Response: 230 OK. Current restricted directory is / > Command: SYST > Response: 215 UNIX Type: L8 > Command: FEAT > Response: 211-Extensions supported: > Response: UTF8 > Response: EPRT > Response: IDLE > Response: MDTM > Response: SIZE > Response: MFMT > Response: REST STREAM > Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*; > Response: MLSD > Response: PRET > Response: AUTH TLS > Response: PBSZ > Response: PROT > Response: TVFS > Response: ESTA > Response: PASV > Response: EPSV > Response: ESTP > Response: 211 End. > Command: OPTS UTF8 ON > Response: 504 Unknown command > Command: PBSZ 0 > Response: 200 PBSZ=0 > Command: PROT P > Response: 200 Data protection level set to "private" > Status: Connected > Status: Retrieving directory listing... > Command: CWD /www > Response: 250 OK. Current directory is /public_html > Command: PWD > Response: 257 "/public_html" is your current location > Command: TYPE I > Response: 200 TYPE is now 8-bit binary > Command: PASV > Response: 227 Entering Passive Mode (93,184,215,14,246,146) > Command: MLSD > Response: 150 Accepted data connection > Response: 226 86 matches total > Status: Directory listing successful > > > =================================================================== > > > Failed example of USB tethered connection. And I get the same if I > allow ports 990 and 980 through the PC's firewall (which I suspect are > really ports that the server, the far end, needs to use). Heck knows > anything about the network configuration (beyond basic IP addresses) of > the Android phone being used for the tethering. Though I have to say > that can't think of anything else that's failed going through it > > No window pops up asking me to check the certificate when I try to > connect, and this is all that Filezilla logs about it. > > > Status: Resolving address of example.com > Status: Connecting to 93.184.215.14:21... > Status: Connection established, waiting for welcome message... > Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- > Response: 220-You are user number 2 of 100 allowed. > Response: 220-Local time is now 22:06. Server port: 21. > Response: 220-This is a private system - No anonymous login > Response: 220-IPv6 connections are also welcome on this server. > Response: 220 You will be disconnected after 15 minutes of > inactivity. > Command: AUTH TLS > Response: 504 Command not implemented for that parameter > Command: AUTH SSL > Response: 504 Command not implemented for that parameter > Error: Critical error > Error: Could not connect to server > > > That's the end of it, it's most odd that the AUTH TLS command is > rejected. > > The server only allows secure connections, so I can't avoid it. I did not comment earlier, but I suspect there's a proxy in play for your mobile connection. That's why things work as expected using your PC, but fail over mobile. I suspect you are being intercepted somewhere along the mobile path. It may be on the device using some sort of antivirus package, or by an application server or caching proxy server. If possible, you should try on a mobile device using an OS like LineageOS. LineageOS does not include all the extra crap bundled by carriers. The first thing I do with my Pixel devices is get rid of Android (and the carrier mods) and load LineageOS. See <https://lineageos.org/>. Jeff -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
