LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 03-14-2005, 06:15 PM   #1
edesmarais
LQ Newbie
 
Registered: Nov 2003
Location: Worcester, MA
Distribution: Slackware 10.2/SuSE 10.1
Posts: 25

Rep: Reputation: 15
why does FTP server send local network address in passive mode?


I set up my FTP server using vsftpd. I opened all of the necessary ports on my router and I am using Fedora Core 3 (not that this should matter). I have a dynamic ip address that is being managed by no-ip.com. Here's the issue: When I try to access my server outside of my LAN, it connects. However, when the client sends PASV, I get the following error:

PASV
227 Entereing Passive Mode (192,168,1,3,221,244)
LIST -aL
425 Security: Bad IP connecting.
Disconnecting from site xxxxxxxxxxx (being the domain name)

Now, I realize that what is happening is that the server is sending the IP address of my internal LAN to the client computer which is no good if the client machine is outside of the LAN. Is there any way to have it send out my public IP address? I would try to edit the pasv ip address in my vsftpd.conf file, except that I'm going to have to edit this file EVERY TIME my public ip address changes. I never had this problem using a windows-based ftp server program and so I know it has to be somehow possible in Linux. I've seen many similar posts but so far none have any viable solutions and I don't want to post this to an abandoned thread.

Also, as a side question, does anybody know of any graphical-based FTP servers for linux? I mean, sure, its fine and all doing everything command-line and such, but I really could care less about proving how geeky I am by running a bunch of commands. I just want something functional and quick. If not, maybe I'll have to try to write one myself. Linux will never beat Windows as long as it is built only with the digital elite in mind.

Thanks!
Evan
 
Old 03-14-2005, 06:22 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
You probably just need to set the passv_address directive in /etc/vsftpd.conf file to your WAN IP address.

Quote:
Also, as a side question, does anybody know of any graphical-based FTP servers for linux? I mean, sure, its fine and all doing everything command-line and such, but I really could care less about proving how geeky I am by running a bunch of commands. I just want something functional and quick. If not, maybe I'll have to try to write one myself. Linux will never beat Windows as long as it is built only with the digital elite in mind.
Try gftp. As long as you've installed gnome, it should be there. It has been distributed with Linux for ages, so there is no need to criticize the "digital elite", they actually have this particular problem solved. Besides, the point of Linux is not to beat Windows, but rather provide a decent, stable and secure OS.
 
Old 03-14-2005, 07:13 PM   #3
edesmarais
LQ Newbie
 
Registered: Nov 2003
Location: Worcester, MA
Distribution: Slackware 10.2/SuSE 10.1
Posts: 25

Original Poster
Rep: Reputation: 15
I do appreciate your reply. However I may not have been very clear:

You probably just need to set the passv_address directive in /etc/vsftpd.conf file to your WAN IP address.

I understand that I can do that. However, since my public IP address is dynamic, I have to change the value of passv_address everytime my IP address changes (which, with my ISP, is quite random). I may not have been clear, but I am wondering if there is a way of automating this update if this is the only solution.

quote:Also, as a side question, does anybody know of any graphical-based FTP servers for linux? I mean, sure, its fine and all doing everything command-line and such, but I really could care less about proving how geeky I am by running a bunch of commands. I just want something functional and quick. If not, maybe I'll have to try to write one myself. Linux will never beat Windows as long as it is built only with the digital elite in mind.

Try gftp. As long as you've installed gnome, it should be there. It has been distributed with Linux for ages, so there is no need to criticize the "digital elite", they actually have this particular problem solved. Besides, the point of Linux is not to beat Windows, but rather provide a decent, stable and secure OS.


I have gftp. However, from here it looks as though gftp is an FTP Client. I'm looking for a graphical FTP Server app.

Also, I did not necessarily mean to criticize the 'digital elite'. I just find it frustrating that it takes me so much longer to do certain things in Linux that I could do in a few simple clicks in Windows. As far as stability and security go, I have to agree that Linux has the edge -- that's why I chose to migrate. However, it seems that the tradeoff is that I have to deal with a whole lot of details that were once trivial in my being productive on the computer. Of course, this may simply be attributed to my not knowing about all of the available applications.
 
Old 03-14-2005, 07:39 PM   #4
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
AFAIK, there are no graphical FTP servers. Most heavy duty servers don't use X-windows, so finding a graphical server is not likely. Writing one yourself might be a good way to go. I use vsftp on my box, and even with a dynamic IP I don't have the problem you're having. It might be an issue where data isn't passing through your router well. Port 21 is used for transfer, but you also usually have to open port 20 for control. If you want it, I can post my vsftpd.conf.

Peace,
JimBass
 
Old 03-14-2005, 08:35 PM   #5
edesmarais
LQ Newbie
 
Registered: Nov 2003
Location: Worcester, MA
Distribution: Slackware 10.2/SuSE 10.1
Posts: 25

Original Poster
Rep: Reputation: 15
Please do. I do have port 20 open, so I don't know what's going on.

Thanks!
Evan
 
Old 03-14-2005, 09:47 PM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
However, since my public IP address is dynamic, I have to change the value of passv_address everytime my IP address changes (which, with my ISP, is quite random)
Yeah, dynamic addresses are a pain for a server. I've got a perl script I wrote that pulls the proper page from my router and if the IP address has changed since the last time, it runs a program to update my no-ip domain and then alters my vsftpd.conf file. I'd post it, but unless you are using a Linksys router (BEFW11S4 ver 4)with the same firmware version (1.50.14), it wouldn't work for you. However, it can be done. You might want to do a little google searching and see if someone has written and posted a script that would work with your particular rig.

JimBass is close with his advice, but with FTP in passive mode, you actually need to use a number of other ports besides 20 and 21. Passive FTP really doesn't use 20 at all, but rather some higher number ports. The problem is that is it can use a HUGE range unless you lock it down.

If it helps, here is the relevant portion of my vsftpd.conf
Code:
#constrain passv ports
pasv_enable=YES
pasv_min_port=50000
pasv_max_port=51000
pasv_address=xxx.xxx.xxx.xxx
Both my router and my firewall allow the 50000-51000 through as well as 21.

Quote:
However, it seems that the tradeoff is that I have to deal with a whole lot of details that were once trivial in my being productive on the computer. Of course, this may simply be attributed to my not knowing about all of the available applications.
I bet at one point Windows was pretty daunting as well, but over time you learned how it worked and what to do. The trick here is to not get frustrated and instead turn problems into an opportunity to learn something new. If you knock down problems one at a time, is fairly short order you'll find yourself at least as productive on Linux as you were on Windows.
 
Old 03-14-2005, 10:24 PM   #7
edesmarais
LQ Newbie
 
Registered: Nov 2003
Location: Worcester, MA
Distribution: Slackware 10.2/SuSE 10.1
Posts: 25

Original Poster
Rep: Reputation: 15
Interestingly enough, we do have the same router. If you don't mind posting that script it would be very helpful. I did lock down the port range and so far I have everything working now.

Also, I have a new issue now that I can login via FTP. Seems like my permissions are a bit wrong. I can access everything, and I mean EVERYTHING. For example:

I login to the FTP server with a username in the ftpusers group. The home directory for this user is /mnt/serverdrive/FTP/All . Therefore, when the user logs in, the 'All' directory is the default directory. However, this user can navigate upward through all of the directories in my computer (parent directories, etc)! Is there any way to prevent this? The user can't see or use the files in these directories, but I would prefer users to not see my directory structure.


Oh, and yes, windows was once daunting. However, I started using it 13 years ago... so I've forgotten about the learning curve there.. I've only been using linux for about a month or so now. I'm getting better though, one step at a time.


Thanks so much for your help,
Evan
 
Old 03-14-2005, 10:38 PM   #8
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
You're in more luck, as I have my ftp server "locked" through a chroot function. It locks the directory that you start in as the / - that way you can't go to any higher directories. You also can make the ftp user a 0 user, with no read and write permissions beyond that directory.

Here is my config -

# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES

pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES



All that I have in the /etc/vsftpd.chroot_list is the user name of the ftp account, which is safeftp.

Peace,
JimBass
 
Old 03-14-2005, 10:54 PM   #9
0.o
Member
 
Registered: May 2004
Location: Raleigh, NC
Distribution: Debian, Solaris, HP-UX, AIX
Posts: 208

Rep: Reputation: 35
Wink

This program is not for vsftpd, however, it is a frontend for ProFTPd. I myself have never used it to configure ProFTPd, but i ran over it a while ago while reading about some things. Maybe you will find it useful.

http://mange.dynup.net/linux.html
 
Old 03-14-2005, 11:14 PM   #10
edesmarais
LQ Newbie
 
Registered: Nov 2003
Location: Worcester, MA
Distribution: Slackware 10.2/SuSE 10.1
Posts: 25

Original Poster
Rep: Reputation: 15
So far you have all been very helpful. I now have users properly jailed in their home directories. I will take a look at the frontend that was suggested as well.

Thanks,
Evan
 
Old 03-15-2005, 08:24 AM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
Quote:
Interestingly enough, we do have the same router. If you don't mind posting that script it would be very helpful..
I don't have access to my linux box until tonight, so I'll post it then.
 
Old 03-16-2005, 01:33 AM   #12
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,791
Blog Entries: 1

Rep: Reputation: 414Reputation: 414Reputation: 414Reputation: 414Reputation: 414
OK, here is the script, but there are a few things you need to check.

-You may have to add the NET::SMTP and LWP::UserAgent perl modules. If these aren't on your system, you can get them from CPAN.
-There are two system calls (one to the no-ip2 program and one that restarts inetd) that may not match your system. You need to edit those so that the path to noip2 is correct and you may need to change the way vsftpd is restarted. This script works for Slackware, but I'm not sure how many other distros use inetd to run the FTP server.
- You need to edit your vsftpd.conf file so that the passv_address line is the very last one in the file (and it needs to stay that way). You also need to check on the path to vsftpd.conf. Again, I wrote this to work on Slackware and other distros may put config files in different places.
-In the getIP subroutine, you will have to change the IP address of the router if yours isn't 192.168.1.1. Also note that if your router doesn't have this exact RouterStatus page, this script just isn't going to work.

Basically the way this thing works is to pull the page from the router that contains the WAN IP address and then splits it several times until the only thing left is the WAN IP address. After that, it compares that WAN IP address to one stored in a file in /root. Note that you may get an error the first time this runs because that file in /root doesn't exist. If the IP addresses match, the script just terminates. However, if they are different, the program updates no-ip with the noip2 program they provide. It then reads in the vsftpd.conf file, chops off the last line, writes out everything remaining and adds a new last line. Finally, it rewrites the record file in /root with the new IP address. I have this running as an hourly cron job and it seems to work, but then again my IP address is pretty stable so this script hasn't gotten a serious workout. It doesn't have any bugs as far as I know, but it hasn't been hammered on either.

Code:
#!/usr/bin/perl -w
use LWP::UserAgent;
use Net::SMTP;
#Add the router username and password below, between the quotes.  If you don't use a username, just leave the line as is
$routerUser = "";
$routerPassword="";
$file = "/root/routerip.txt";
$routerIP = "a";
$oldIP = 'b';
#Adding the bit to alter /etc/vsftd.conf in case of IP change
$vsftpd_conf = "/etc/vsftpd.conf";

#First get the IP address from the router
&getIP;
#Now open the storage file and read the old IP
&readIP;
#Compare the new and old IP and do something if it has changed
if($routerIP eq $oldIP){
	exit;
}
else{
	#First write the new IP to the storage file
	&writeIP;
	#Now update no-ip.com with the new IP address
	system("/usr/local/bin/noip2 -i $routerIP");
	#Finally, rewrite and restart vsftpd
	&ftp;
	system("/etc/rc.d/rc.inetd restart");
}
exit;


sub getIP{
	$ua = new LWP::UserAgent;
	$req = new HTTP::Request GET=> 'http://192.168.1.1/RouterStatus.htm';
	$req -> authorization_basic($routerUser,$routerPassword);
	$result = $ua->request($req);
	if ( $result->is_success ) 
	{
		$temp = $result->as_string;
		@data = split /<TR>/, $temp;
	}
	else 
	{ 
		exit 1;
	}

	foreach $line(@data){
		if ( $line =~m/Internet IP Address:/ ){
			@secondsplit = split/<B>/,$line;
			foreach $b(@secondsplit){
				if($b =~m/<\/B>/){
					@lastsplit = split /<\/B>/,$b;
					$routerIP = $lastsplit[0];
				}
			}
		}
	}

}

sub readIP{
	open(IPLOG, "$file");
	@IPList = <IPLOG>;
	$oldIP = $IPList[0];
	close (IPLOG);
}

sub writeIP{
	open(IPLOG, ">$file");
	print(IPLOG $routerIP);
	close(IPLOG);
}

sub ftp{
	open(OLDCONF, "$vsftpd_conf");
	@NewConf = <OLDCONF>;
	close(OLDCONF);
	pop(@NewConf);
	push(@NewConf,"pasv_address=$routerIP\n");
	open(VSFTPCONF, ">$vsftpd_conf");
	foreach $tmp (@NewConf){
		print(VSFTPCONF $tmp);
	}
	close(VSFTPCONF);
}
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with an external DHCP server giving address on my local department network atl02wrx Linux - Networking 2 07-12-2005 06:50 AM
FTP: active and passive mode problem with some windows client tda71 Linux - Networking 2 06-14-2005 09:31 AM
How do I set my FTP server to accept passive FTP? imsam Linux - Newbie 3 12-12-2004 07:22 AM
Passive mode FTP & Firewall Mikessu *BSD 2 07-23-2004 01:12 AM
ftp passive mode ? lenlutz Linux - Networking 1 11-05-2003 02:11 PM


All times are GMT -5. The time now is 12:09 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration