why does FTP server send local network address in passive mode?
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
why does FTP server send local network address in passive mode?
I set up my FTP server using vsftpd. I opened all of the necessary ports on my router and I am using Fedora Core 3 (not that this should matter). I have a dynamic ip address that is being managed by no-ip.com. Here's the issue: When I try to access my server outside of my LAN, it connects. However, when the client sends PASV, I get the following error:
PASV
227 Entereing Passive Mode (192,168,1,3,221,244)
LIST -aL
425 Security: Bad IP connecting.
Disconnecting from site xxxxxxxxxxx (being the domain name)
Now, I realize that what is happening is that the server is sending the IP address of my internal LAN to the client computer which is no good if the client machine is outside of the LAN. Is there any way to have it send out my public IP address? I would try to edit the pasv ip address in my vsftpd.conf file, except that I'm going to have to edit this file EVERY TIME my public ip address changes. I never had this problem using a windows-based ftp server program and so I know it has to be somehow possible in Linux. I've seen many similar posts but so far none have any viable solutions and I don't want to post this to an abandoned thread.
Also, as a side question, does anybody know of any graphical-based FTP servers for linux? I mean, sure, its fine and all doing everything command-line and such, but I really could care less about proving how geeky I am by running a bunch of commands. I just want something functional and quick. If not, maybe I'll have to try to write one myself. Linux will never beat Windows as long as it is built only with the digital elite in mind.
You probably just need to set the passv_address directive in /etc/vsftpd.conf file to your WAN IP address.
Quote:
Also, as a side question, does anybody know of any graphical-based FTP servers for linux? I mean, sure, its fine and all doing everything command-line and such, but I really could care less about proving how geeky I am by running a bunch of commands. I just want something functional and quick. If not, maybe I'll have to try to write one myself. Linux will never beat Windows as long as it is built only with the digital elite in mind.
Try gftp. As long as you've installed gnome, it should be there. It has been distributed with Linux for ages, so there is no need to criticize the "digital elite", they actually have this particular problem solved. Besides, the point of Linux is not to beat Windows, but rather provide a decent, stable and secure OS.
I do appreciate your reply. However I may not have been very clear:
You probably just need to set the passv_address directive in /etc/vsftpd.conf file to your WAN IP address.
I understand that I can do that. However, since my public IP address is dynamic, I have to change the value of passv_address everytime my IP address changes (which, with my ISP, is quite random). I may not have been clear, but I am wondering if there is a way of automating this update if this is the only solution.
quote:Also, as a side question, does anybody know of any graphical-based FTP servers for linux? I mean, sure, its fine and all doing everything command-line and such, but I really could care less about proving how geeky I am by running a bunch of commands. I just want something functional and quick. If not, maybe I'll have to try to write one myself. Linux will never beat Windows as long as it is built only with the digital elite in mind.
Try gftp. As long as you've installed gnome, it should be there. It has been distributed with Linux for ages, so there is no need to criticize the "digital elite", they actually have this particular problem solved. Besides, the point of Linux is not to beat Windows, but rather provide a decent, stable and secure OS.
I have gftp. However, from here it looks as though gftp is an FTP Client. I'm looking for a graphical FTP Server app.
Also, I did not necessarily mean to criticize the 'digital elite'. I just find it frustrating that it takes me so much longer to do certain things in Linux that I could do in a few simple clicks in Windows. As far as stability and security go, I have to agree that Linux has the edge -- that's why I chose to migrate. However, it seems that the tradeoff is that I have to deal with a whole lot of details that were once trivial in my being productive on the computer. Of course, this may simply be attributed to my not knowing about all of the available applications.
AFAIK, there are no graphical FTP servers. Most heavy duty servers don't use X-windows, so finding a graphical server is not likely. Writing one yourself might be a good way to go. I use vsftp on my box, and even with a dynamic IP I don't have the problem you're having. It might be an issue where data isn't passing through your router well. Port 21 is used for transfer, but you also usually have to open port 20 for control. If you want it, I can post my vsftpd.conf.
However, since my public IP address is dynamic, I have to change the value of passv_address everytime my IP address changes (which, with my ISP, is quite random)
Yeah, dynamic addresses are a pain for a server. I've got a perl script I wrote that pulls the proper page from my router and if the IP address has changed since the last time, it runs a program to update my no-ip domain and then alters my vsftpd.conf file. I'd post it, but unless you are using a Linksys router (BEFW11S4 ver 4)with the same firmware version (1.50.14), it wouldn't work for you. However, it can be done. You might want to do a little google searching and see if someone has written and posted a script that would work with your particular rig.
JimBass is close with his advice, but with FTP in passive mode, you actually need to use a number of other ports besides 20 and 21. Passive FTP really doesn't use 20 at all, but rather some higher number ports. The problem is that is it can use a HUGE range unless you lock it down.
If it helps, here is the relevant portion of my vsftpd.conf
Both my router and my firewall allow the 50000-51000 through as well as 21.
Quote:
However, it seems that the tradeoff is that I have to deal with a whole lot of details that were once trivial in my being productive on the computer. Of course, this may simply be attributed to my not knowing about all of the available applications.
I bet at one point Windows was pretty daunting as well, but over time you learned how it worked and what to do. The trick here is to not get frustrated and instead turn problems into an opportunity to learn something new. If you knock down problems one at a time, is fairly short order you'll find yourself at least as productive on Linux as you were on Windows.
Interestingly enough, we do have the same router. If you don't mind posting that script it would be very helpful. I did lock down the port range and so far I have everything working now.
Also, I have a new issue now that I can login via FTP. Seems like my permissions are a bit wrong. I can access everything, and I mean EVERYTHING. For example:
I login to the FTP server with a username in the ftpusers group. The home directory for this user is /mnt/serverdrive/FTP/All . Therefore, when the user logs in, the 'All' directory is the default directory. However, this user can navigate upward through all of the directories in my computer (parent directories, etc)! Is there any way to prevent this? The user can't see or use the files in these directories, but I would prefer users to not see my directory structure.
Oh, and yes, windows was once daunting. However, I started using it 13 years ago... so I've forgotten about the learning curve there.. I've only been using linux for about a month or so now. I'm getting better though, one step at a time.
You're in more luck, as I have my ftp server "locked" through a chroot function. It locks the directory that you start in as the / - that way you can't go to any higher directories. You also can make the ftp user a 0 user, with no read and write permissions beyond that directory.
Here is my config -
# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
anonymous_enable=NO
#
# Uncomment this to allow local users to log in.
local_enable=YES
#
# Uncomment this to enable any form of FTP write command.
write_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
local_umask=022
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
dirmessage_enable=YES
#
# Activate logging of uploads/downloads.
xferlog_enable=YES
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
connect_from_port_20=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#chown_uploads=YES
#chown_username=whoever
#
# You may override where the log file goes if you like. The default is shown
# below.
#xferlog_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format
xferlog_std_format=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
# (default follows)
chroot_list_file=/etc/vsftpd.chroot_list
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#ls_recurse_enable=YES
pam_service_name=vsftpd
userlist_enable=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
All that I have in the /etc/vsftpd.chroot_list is the user name of the ftp account, which is safeftp.
This program is not for vsftpd, however, it is a frontend for ProFTPd. I myself have never used it to configure ProFTPd, but i ran over it a while ago while reading about some things. Maybe you will find it useful.
So far you have all been very helpful. I now have users properly jailed in their home directories. I will take a look at the frontend that was suggested as well.
OK, here is the script, but there are a few things you need to check.
-You may have to add the NET::SMTP and LWP::UserAgent perl modules. If these aren't on your system, you can get them from CPAN.
-There are two system calls (one to the no-ip2 program and one that restarts inetd) that may not match your system. You need to edit those so that the path to noip2 is correct and you may need to change the way vsftpd is restarted. This script works for Slackware, but I'm not sure how many other distros use inetd to run the FTP server.
- You need to edit your vsftpd.conf file so that the passv_address line is the very last one in the file (and it needs to stay that way). You also need to check on the path to vsftpd.conf. Again, I wrote this to work on Slackware and other distros may put config files in different places.
-In the getIP subroutine, you will have to change the IP address of the router if yours isn't 192.168.1.1. Also note that if your router doesn't have this exact RouterStatus page, this script just isn't going to work.
Basically the way this thing works is to pull the page from the router that contains the WAN IP address and then splits it several times until the only thing left is the WAN IP address. After that, it compares that WAN IP address to one stored in a file in /root. Note that you may get an error the first time this runs because that file in /root doesn't exist. If the IP addresses match, the script just terminates. However, if they are different, the program updates no-ip with the noip2 program they provide. It then reads in the vsftpd.conf file, chops off the last line, writes out everything remaining and adds a new last line. Finally, it rewrites the record file in /root with the new IP address. I have this running as an hourly cron job and it seems to work, but then again my IP address is pretty stable so this script hasn't gotten a serious workout. It doesn't have any bugs as far as I know, but it hasn't been hammered on either.
Code:
#!/usr/bin/perl -w
use LWP::UserAgent;
use Net::SMTP;
#Add the router username and password below, between the quotes. If you don't use a username, just leave the line as is
$routerUser = "";
$routerPassword="";
$file = "/root/routerip.txt";
$routerIP = "a";
$oldIP = 'b';
#Adding the bit to alter /etc/vsftd.conf in case of IP change
$vsftpd_conf = "/etc/vsftpd.conf";
#First get the IP address from the router
&getIP;
#Now open the storage file and read the old IP
&readIP;
#Compare the new and old IP and do something if it has changed
if($routerIP eq $oldIP){
exit;
}
else{
#First write the new IP to the storage file
&writeIP;
#Now update no-ip.com with the new IP address
system("/usr/local/bin/noip2 -i $routerIP");
#Finally, rewrite and restart vsftpd
&ftp;
system("/etc/rc.d/rc.inetd restart");
}
exit;
sub getIP{
$ua = new LWP::UserAgent;
$req = new HTTP::Request GET=> 'http://192.168.1.1/RouterStatus.htm';
$req -> authorization_basic($routerUser,$routerPassword);
$result = $ua->request($req);
if ( $result->is_success )
{
$temp = $result->as_string;
@data = split /<TR>/, $temp;
}
else
{
exit 1;
}
foreach $line(@data){
if ( $line =~m/Internet IP Address:/ ){
@secondsplit = split/<B>/,$line;
foreach $b(@secondsplit){
if($b =~m/<\/B>/){
@lastsplit = split /<\/B>/,$b;
$routerIP = $lastsplit[0];
}
}
}
}
}
sub readIP{
open(IPLOG, "$file");
@IPList = <IPLOG>;
$oldIP = $IPList[0];
close (IPLOG);
}
sub writeIP{
open(IPLOG, ">$file");
print(IPLOG $routerIP);
close(IPLOG);
}
sub ftp{
open(OLDCONF, "$vsftpd_conf");
@NewConf = <OLDCONF>;
close(OLDCONF);
pop(@NewConf);
push(@NewConf,"pasv_address=$routerIP\n");
open(VSFTPCONF, ">$vsftpd_conf");
foreach $tmp (@NewConf){
print(VSFTPCONF $tmp);
}
close(VSFTPCONF);
}
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
