LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-02-2004, 09:43 AM   #1
Voyager_MP
LQ Newbie
 
Registered: Jun 2004
Location: Aachen, Germany
Distribution: Debian sarge
Posts: 23

Rep: Reputation: 15
FTP-Server


I ran a FTP-Server (vsftp) with a local firewall (iptables) on it.
Now every client who wants to connect has to enable passive before being able to get files.
The Internet Connection is a E1 Line (static ip's).

Is there a way to change this ?

Last edited by Voyager_MP; 07-02-2004 at 09:44 AM.
 
Old 07-02-2004, 10:11 AM   #2
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
Handshaking and data ports for ftp:

Active ftp:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)

Passive ftp:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)

Don't know what your firewall blocks, but could it be that not all ports needed for active ftp are 'open' (port 20)?

This might also help:
http://www.chinalinuxpub.com/doc/www...ftp-server.htm
 
Old 07-05-2004, 02:39 AM   #3
Voyager_MP
LQ Newbie
 
Registered: Jun 2004
Location: Aachen, Germany
Distribution: Debian sarge
Posts: 23

Original Poster
Rep: Reputation: 15
ok, I tryed to open port 20, but still no luck, can it be that vsftp does not support active ftp ?
 
Old 07-05-2004, 05:50 AM   #4
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
vsftp does support active ftp. Take a look at the manpage and options, especially the connect_from_port_20 option.

You do not tell if the clients are behind a firewall of their own. Could be that those (that??) firewall is blocking the connection.
 
Old 07-05-2004, 06:09 AM   #5
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
If your questions is about disabling PASV mode, you can edit vsftpd.conf and

PASV_enable=no.
 
Old 07-05-2004, 06:15 AM   #6
Voyager_MP
LQ Newbie
 
Registered: Jun 2004
Location: Aachen, Germany
Distribution: Debian sarge
Posts: 23

Original Poster
Rep: Reputation: 15
for better understanding:

A stand alown server (statik IP) firewall of it's own, (IPTables), OS: Debian, FTP-Server VSFTP

now the problem: all the clients have to write passive before beeing able to run commands like ls on the server out of a shell ftp-client

I do not like this, because some stupid custumers of us don't get it

[mp 1] >ftp atecom.org
Connected to atecom.org.
220 Welcome to ATECOM FTP service.
Name (atecom.org:xxxxxx): xxxxxx
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 Illegal PORT command.
ftp: bind: Address already in use
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (212,117,69,18,63,101)
150 Here comes the directory listing.
-rw------- 1 1004 8 0 May 19 08:58 Trash
drwx------ 3 1004 8 4096 Jun 04 10:55 mail
drwxr-xr-x 2 1004 100 4096 May 19 08:58 public_html
-rwxr-xr-x 1 0 0 33296 Jun 04 09:47 test
226 Directory send OK.


[mp 2] >nmap atecom.org -p 20

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-05 13:22 CEST
Interesting ports on postman.atecom.com (212.117.69.18):
PORT STATE SERVICE
20/tcp closed ftp-data



I would like to have a soloution that would do this automaticly.



Last edited by Voyager_MP; 07-05-2004 at 06:23 AM.
 
Old 07-05-2004, 06:40 AM   #7
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
You might want to try to set the following option:

port_promiscuous to yes (default is NO).

This will disable the port security check.
 
Old 07-05-2004, 06:55 AM   #8
Voyager_MP
LQ Newbie
 
Registered: Jun 2004
Location: Aachen, Germany
Distribution: Debian sarge
Posts: 23

Original Poster
Rep: Reputation: 15
at least something has changed

331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.

 
Old 07-05-2004, 07:20 AM   #9
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
you can switch off PASV mode by setting the parameter below in your vsftpd.conf

PASV_enable=no
 
Old 07-05-2004, 07:30 AM   #10
Voyager_MP
LQ Newbie
 
Registered: Jun 2004
Location: Aachen, Germany
Distribution: Debian sarge
Posts: 23

Original Poster
Rep: Reputation: 15
Yes, I tryed that too, but the point is that active is not working at all.

so turning passive of leaves me with the same problem
 
Old 07-05-2004, 10:30 AM   #11
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
This turns out to be a nice problem......

Took another look at the output you posted (#6) and the following cannot be correct:

ftp: bind: Address already in use

Setting the port_promiscuous option to yes seems to get rid of this, to be replaced by:

425 Failed to establish connection

I wonder if vsftpd is the cause of this.

- Do you have the same problem when you set up a ftp session from the same box (client=server)?
- Can you test from a local network (no internet in between). You mentioned the box being stand-alone, so this might not be possible to test.
- What happens if you shut down the firewall, problem still there?

If you have the time and space, you might want to use ehtereal (or alike [tcpdump]) to check what's happening.

Hope this gets you going again.
 
Old 07-06-2004, 02:39 AM   #12
Voyager_MP
LQ Newbie
 
Registered: Jun 2004
Location: Aachen, Germany
Distribution: Debian sarge
Posts: 23

Original Poster
Rep: Reputation: 15
Thanks for helping me.

This is my config
# vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
ocal_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
idle_session_timeout=600
nopriv_user=ftp
ftpd_banner=Welcome to ATECOM FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
port_promiscuous=yes


trying with port_promiseuous=yes and firewall up or down results in the same:
[mp 2] >ftp atecom.org
Connected to atecom.org.
220 Welcome to ATECOM FTP service.
Name (atecom.org:XXXXX): XXXXX
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.


From Localhost: it works
root@postman:~# ftp localhost
Connected to postman.
220 Welcome to ATECOM FTP service.
Name (localhost:root): XXXXXX
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw------- 1 1004 8 0 May 19 08:58 Trash
drwx------ 3 1004 8 4096 Jun 04 10:55 mail
drwxr-xr-x 2 1004 100 4096 May 19 08:58 public_html
-rwxr-xr-x 1 0 0 33296 Jun 04 09:47 test
226 Directory send OK.
 
Old 07-06-2004, 03:52 AM   #13
druuna
LQ Veteran
 
Registered: Sep 2003
Posts: 10,532
Blog Entries: 7

Rep: Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371Reputation: 2371
I thought it would be firewall related, guess I'm wrong.

Only 2 more things I can come up with (1 being 'old'):
- Anything weird in the logfiles. Especially /var/log/vsftpd.log or related, but take a look at the general logs as well.
- Use ethereal to check connections (this one I already mentioned).

One of the things that keeps comming to my mind is the ip address that vsftpd returns during data connects. Could be that vsftpd is giving your local machine's IP (192.168.x.y or 10.0.x.y). Only way to find this out (which IP is being send) is to look at the logfiles or use ethereal.

One more firewall related option: Is portforwarding activated?

Last edited by druuna; 07-06-2004 at 03:53 AM.
 
Old 07-06-2004, 04:09 AM   #14
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
can you try connecting from a remote host after turning iptables off.

Perhaps iptables is configured not to accept non-passive ftp. you can check this using tcpdump.

e.g.

on the ftp server

tcpdump host <remotehost>

Last edited by ppuru; 07-06-2004 at 04:11 AM.
 
Old 07-06-2004, 04:10 AM   #15
Voyager_MP
LQ Newbie
 
Registered: Jun 2004
Location: Aachen, Germany
Distribution: Debian sarge
Posts: 23

Original Poster
Rep: Reputation: 15
guess what, It just came to my mind, that i'm behind my own firewall


trying it from a host with static ip, and it worked.

I would have to forward port 20 throw my own firewall. Sorry for me, beeing so stupid
 
  


Reply

Tags
ftp, passive, ports


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Ftp(through web site access to ftp server) kelper Linux - Software 3 01-11-2006 07:03 PM
ftp server - Pure ftp - logs in OK but no files visible tp11235 Linux - Networking 2 08-30-2005 05:11 AM
FTP Server Up and running... how do I hide ftp users from local login screen? joe1031 Mandriva 2 03-18-2005 04:24 PM
How do I set my FTP server to accept passive FTP? imsam Linux - Newbie 3 12-12-2004 06:22 AM
how can I restrict ftp users listing files from a pure-ftp server adrianmak Linux - Networking 2 12-31-2002 08:23 AM


All times are GMT -5. The time now is 02:55 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration