Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
We've got some kind of a rare problem I haven't seen on any other forums or maillinglists.
We've set up vsftpd on our new debian server, which resides behind a PIX firewall (we may not access the pix itself, only the server), so for transfers internally and externally to go perfectly we requested forwarding of some 50 data lines and port 21 and set those ports up passively:
# Passive + Port cmd's (allow FXP)
connect_from_port_20=NO
pasv_enable=YES
pasv_promiscuous=YES
pasv_min_port=2101
pasv_max_port=2149
This config works perfectly for everybody (anonymous & users) with listing, sending and receiving using our passive ports. Next thing we tried to enable SSL on vsftpd (we've got the latest ssl enabled build). Created a vsftpd.pem file, and started it up with following settings:
# SSL instellingen
# SSL cert /usr/share/ssl/cert/vsftpd.pem
# Create: openssl req -x509 -nodes -newkey rsa:1024 -keyout /etc/ssl/private/vsftpd.pem -out etc/ssl/private/vsftpd.pem
ssl_enable=YES
allow_anon_ssl=YES
force_local_data_ssl=NO
force_local_logins_ssl=NO
Oke... so we want users to be able to use SSL, but don't oblige them yet. When we try to connect using SSL (tested with several FTP clients such as FlashFXP, SmartFTP, ...) we always get the following:
Quote:
Resolving host name domain.be...
Connecting to (domain.be) -> IP: 193.190.x.x PORT: 21
Connected to (domain.be) -> Time = 20ms
Socket connected waiting for login sequence.
220 Welcome to our ftp server.
AUTH TLS
234 Proceed with negotiation.
Connected. Exchanging encryption keys...
Session Cipher: 168 bit 3DES
SSL encrypted session established.
PBSZ 0
200 PBSZ set to 0.
USER xxxxxxx
331 Please specify the password.
PASS (hidden)
230 Login successful.
SYST
215 UNIX Type: L8
FEAT
211-Features:
AUTH SSL
AUTH TLS
EPRT
EPSV
MDTM
PASV
PBSZ
PROT
REST STREAM
SIZE
TVFS
211 End
PWD
257 "/"
TYPE A
200 Switching to ASCII mode.
PROT P
200 PROT now Private.
PASV
227 Entering Passive Mode (193,190,x,x,8,69)
LIST -aL
Opening data connection IP: 193,190,x,x,8,69 PORT: 2117.
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Connection closed. Server timeout.
425 Failed to establish connection.
NOOP
200 NOOP ok.
As passive works perfectly without SSL, this could be an SSL related bug or does anyone have another solution ?
FTP uses a control connection for the login process. The file listing or up-/download request is also sent on the control connection. However, the for the actual data (listing or file) a new connection is opened (result of PASV in your log).
The PIX firewall does stateful inspection of ftp traffic, which means it understands the protocol on the control connection. When it sees the PORT directive (result of PASV) it knows that the client will try to open a new connection to the IP address and port specified and opens the "hole".
When you start using SSL the control connection is encrypted and the PIX (or any other firewall for that matter) cannot interpret the protocol. And therefore will not let the data connection thru.
This problem may exist either on your firewall or on the remote firewall if there's one infront of the FTP server as well.
I see you have
> pasv_min_port=2101
> pasv_max_port=2149
in your config file.
You could allow connections to these ports for your ftp server in your pix to make it work. But this means that you open a permanent "hole". This may or may not be a serious issue.
I've found a solution for this problem but, since I'm not very familiar with Linux, I need some help.
Here's how you get vsftpd + ssl + passive to work:
add the following line to your vsftpd.conf:
Code:
pasv_address=writedownyourstaticiphere
The main problem is that most of you don't have a static IP, but use a dyndns service such as dyndns.org.
The problem is, that you can't do this:
Code:
pasv_address=mike123.dyndns.org
because vsftpd cannot resolve the dns name to an real IP.
There are two solutions:
1. Somebody makes vsftpd work with dns names, so that vsftpd can resolve the address. I have no clue how to do this, but maybe there are some linux gurus or programmers out there to change the vsftpd sources. I hope so, cause most Windows FTP Servers can resolve dns names.
2. That's the solution I'm working on:
Automatically resolve the dyndns name let's say every 15 minutes and write it down to the vsftpd.conf.
Here's how it works:
- type nslookup mike123.dyndns.org
- filter the IP address and send the commandline output to vsftpd.conf
But I'm not very familiar with Linux yet, so I need someone to write a script that does this.
Damn. It's not so easy as I thought. It seems, that after a reconnect (which gives me a new IP-Address) of the router, vsftpd doesn't resolve the hostname new.
Quote:
Originally Posted by Kobi007
If you use:
Code:
pasv_addr_resolve=YES
you can also use
Code:
pasv_address=mike123.dyndns.org
With this, I have running my vsftpd-Server with SSL behind a Firewall with NAT and I can connect in passiv mode to it.
I can get in behind the firewall find. Once I hit the firewall it logs me in connects but does not return the file listing. It times out. I have forwarded ports 20+21 and the min-max range all to the ftp server. Why the heck is this not working?
It seems to me that vsftp is not using the min-max ports at all. Does anyone have any ideas?
Damn. It's not so easy as I thought. It seems, that after a reconnect (which gives me a new IP-Address) of the router, vsftpd doesn't resolve the hostname new.
Same problem! It's like vsftpd resolves the hostname on start only. Should I restart the daemon every hour? I'm lucky I often use clients which can resolve this problem by themselves, but the problem's 'till there.. >_<
ps: hope my english is understandable.
pps: another quickly and easly configurable ftp daemon? I hope I'm not gonna leave vsftpd, after getting so confident with its configuration
edit: i think i'll try to make a script which restarts the daemon ONLY if the ip address is changed. It might be the easiest way. What do you think about it?
<--->
Giacomo
Last edited by sbrot; 07-08-2010 at 08:19 PM.
Reason: idea!
Same problem! It's like vsftpd resolves the hostname on start only. Should I restart the daemon every hour? I'm lucky I often use clients which can resolve this problem by themselves, but the problem's 'till there.. >_<
ps: hope my english is understandable.
pps: another quickly and easly configurable ftp daemon? I hope I'm not gonna leave vsftpd, after getting so confident with its configuration
edit: i think i'll try to make a script which restarts the daemon ONLY if the ip address is changed. It might be the easiest way. What do you think about it?
<--->
Giacomo
Hi Giacomo,
I also thought of such a script. I think it would be a good idea. I could run as cronjob every minute and check the ipadress. If it has changed, it could restart the daemon. Obviously it has to store the current IP-address in a file, so that it can compare it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.