Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello all.
I'm having a problem with ftp from a custom system at a client that uses ftp to get som files from suppliers.
The new firewall is obviously stopping it as it wasn't a problem before.
I've tried ftp-connections with firefox, msie, smartftp and lftp and they all work, the only place I can replicate the problem is with the ftp-client in dos (or windows cmd).
I've allso tried purging all rules and setting policy to accept on all chains, still the same problem...
Anyone have any good ideas?
If you do: Thanx a lot, I'm stuck...
Sturla
ps. ip_conntrack_ftp is loaded, allthough I don't think it should matter when defaulting to ACCEPT
Ftp.exe is not a real ftp client, it only does a subset of the ftp protocol : It uses Active Mode , while IE uses PASSIVE mode.
It can't switch to passive mode.
If your side is well configured (Firewall+NAT+Ftp_conntrack) then Passive will work.
If they HAVE to use active ftp then they need a clean configuration like you. I guess they are using NAT and/or a FW and that they are not Active-FTP-aware.
What is happening could be:
-> They send you their internal IP adress (192.168.... for example.. security leak) and obviously you can't connect to it.
-> They send you their real IP ( their internal is internet-global or they have a NAT that understands FTP) BUT they don't open the port.
Can they make a dir on ftp.oreilly.com for example, using ftp.exe? I guess not, so its not your fault, its their..
They have to correct their configuration OR use a command line FTP client that does PASSIVE mode.
So..if its working in all other places why do you want to ftp through DOS??
I mean surely if the FTP server's accepting connections through browsers the port is open ; so its not a firewall problem at all either on the client or the server or the firewall its something to do with CMD.
What I fail to understand is if you can connect through a FTP client which already has GUI's inbuilt you can get/put files through it ..cant you?...why do u need CMD at all?
Maybe Im missing something...can you please clarify?
Cheers
Arvind
p.s...I know theres a graphical frontend for ssh which allows you get and put files..u might want to try googling on those lines if thats what you mean
What is happening could be:
-> They send you their internal IP adress (192.168.... for example.. security leak) and obviously you can't connect to it.
-> They send you their real IP ( their internal is internet-global or they have a NAT that understands FTP) BUT they don't open the port.
So firstly ..Is there any way to force FTP to happen in Passive mode??...
Secondly r u saying that if A is sitting on Client 192.168.0.1 and wants to FTP to 202.x.x.x he will do something like ftp>open 202.x.x.x , the firewall NAT rules take over and the 202.x.x.x IP will now be Xlated to a 192.x.x.x ...thus allowing the connection to proceed...so since Client A and the remote machine are on the same 192.x.x.x network shouldnt it work??
And since the browser is able to connect though ftp doesnt it mean ftp (21) is open on the Firewall or is it that FTP(Active) and FTP(Passive) are assigned 20 and 21 ..I remember 2 ports assigned for FTP in that list.
So firstly ..Is there any way to force FTP to happen in Passive mode??...
Should be
Code:
quote pasv
to put the server in passive mode (and the client who interprets the "Entering PASV" should know that it has to switch to passive)
But does not work... ftp.exe for me is a toy, it uses active only while passive is the most common.
Quote:
Secondly r u saying that if A is sitting on Client 192.168.0.1 and wants to FTP to 202.x.x.x he will do something like ftp>open 202.x.x.x , the firewall NAT rules take over and the 202.x.x.x IP will now be Xlated to a 192.x.x.x ...thus allowing the connection to proceed...so since Client A and the remote machine are on the same 192.x.x.x network shouldnt it work??
I think here your are mixing things : There are two different things
-> The IP header of a packet . Source IP and Destination IP.
-> The Data part of a packet . In active mode, the client will send PORT 192,168,0,1,4,1. Which means, hey you, connect on me (192.168.0.1) on port 4*256+1=1025.
So the Network packet will be:
Code:
Source IP:192.168.0.1
Destination IP:202.1.1.1
Source port: we don't care say 2000
Destination port:21
Data : Port 192,168,0,1,4,1
When the NAT device on the client sees an FTP packet (it recognizes it because destination port is 21), it looks in THE DATA of the packet, it sees 192,168,0,1,4,1 and translates it to the REAL (accessible from Internet) IP adress.
becomes:
Code:
Source IP:IP of the NAT device , ex : 201.1.1.1
Destination IP:202.1.1.1
Source port: 2000
Destination port:21
Data : Port 201,1,1,1,4,1
The server will acknowledge the packet to 201.1.1.1:2000 and then open a connection to 201.1.1.1 :1025
I'm very bad at explaining things
Have a look here (this guy should give me some money I've given his link hundred of times) http://slacksite.com/other/ftp.html
Now you may wonder why we put in the DATA part the IP of the client.
This is because FTP can be used to do FXP (and nasty stealth scanning or Denial of Service also): The client A ask server B to send the data to client C. www.faqs.org/rfcs/rfc959.html
Maybe begin to understand how NAT works, then how FTP works and then how both works.
Hi folks and thanks for all suggestions...
Just to clarify: I don't use ftp.exe, neither would I ever make a system that does, but the client has a server-app that does, closed source... So there's nothing I can do about that....
I'll try to google a litte more for active ftp...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.