2011/07/25

FTP Error "500 - Illegal port command"

After changing my Wifi home router to TP-Link, I can successfully login to a ftp server but can not do "ls" or  or transfer files and the error code returned was 500 – illegal port command.













On careful reading the TP-Link manual, there is a security feature called FTP ALG which allows ftp traversal over NAT. Without enabling FTP ALG, ftp is destined to fail because the client provides a private IP address and a port number to the FTP server but somehow, the port number is changed by the NAT device. FTP ALG ensures that the NATed port number and the ftp data port number initiated by the client are kept in a one-to-one mapping state table.















This is another example of NAT breaking end-to-end connectivity. Similar ALGs are also needed for SIP and H.323. NAT only brings troubles to the networked Internet world and it should be dropped as soon as practicable.

3 comments:

Anonymous said...

ALG (may be for specific device) has its downside too.
http://speedtest3.ofta.gov.hk fails to complete if ALG is enabled for SIP.

warrenkwok said...
This comment has been removed by the author.
warrenkwok said...

True. The latency and jitter test of OFTA's speedtest engine are running on 5060, the famous SIP port. SIP ALG will definitely screws up the test. However, users can choose alternate port which is port 8080.

I still think that the latency and jitter test should be under port below 1024 (preferably 80) in order to avoid blocking the stateful firewall.