proftpd very slow...plz help!

Hey all, got my proftp server up and running and it works fine internally, but here is what happens when someone outside connects.

It allows a user to login, but when they go to do an ls/dir it says "220 port command successfule" and then sites there for several minutes. Finally it gives an error message
"cant build data connection, connection timed out"

Anyone have any clues? TIA!!! If you would like the IP/port to see what happens, let me know.

Oh yeah, it's running mandrake 9

This is probably a firewall problem. Try PASV mode or loosen the firewall rules to allow the nessasary traffic.

I actually have cleared all of the firewall rules to see if that was a problem, no good

If i read correctly, you are behind a firewall?

I have to agree bentz, that might be a problem...
If you can connect, but when typing ls, nothing happens, that usually means that the data-channel cannot be opened. That could mean two things:
1: the client is behind a firewall.
2: the server is behind the firewall.

Natting doesn't work with dynamic ports (unless you forward all traffic to your ftpserver, but then: whats the use of a firewall...)

I have proftpd running smoothly behind a firewall.
So, what I have done:
In my proftp.conf i added a few entries:

Right after the Ports directive:
PassivePorts 3456 3456
(this is actually the start of a range and the end of the range.
Since i provided a "range" of only one port (3456), all passive transfers will use that specific port. Now all you have to do is forward your firewallport 3456 to your internal machine.
Next thing that might help is adding an extra entry, behind the passiveports directive:
MasqueradeAddress your.external.ip.address

Goodluck...

thanks satriani, here is my config


linksys firewall forwarding port 9000 to my linux box (192.168.1.210)

Proftp is configured to use port 9000

yes it allows a full connection and login, but any command issue eventually time out with the message from above.


Any other ideas??? TIA!

granny,

The problem looks pretty clear:
You are able to connect to your ftpserver, and perform a login. Any command after that will timeout. Correct Sofar ? If not, let me know....

Now, what happens (or what a stupid protocol FTP is...)
Default FTP runs on port 21. This is the port for communicating with your server. so, you enter your server on port 21, and the server will respond with the request for authentication. So far so good. You authenticate, the server sends you information and that´s it.
Now, you want to run commands (such as ls)
You enter the command and the server will then open a data-channel. This channel is NOT! on port 21, but on another port.

You can see his happening: check your client. If i.e. your server is ip addres 1.2.3.4, you will see something like 1,2,3,4,43,576
Now, the first 4 comma seperated digits represent the ip address. The last 2 comma seperated digits represent the port you are going to open a data channel on. (its some kind of calculation, dunno how exactly.)
Anyhow: These last two numbers create a portnumber, and are sent to your ftp client. The server will open the port corresponding to these numbers, and start listening for YOUR! commands. But, since this information is sent to your client in plain text, your firewall will not know that your ftp server wants to use this port. This is that "data-channel"-portnumber.
So FTP uses 2 ports: One port for authenticating and so on, and one port for data.

Now, how to resolve this?
First, set the directive PassivePorts in your conf file, and decide which port(s) you want to use for ftp-datachannels. (in my prev example, it was only 3456, but you can also provide a range of ports).
Next, open the corresponding ports on your firewall, allow passthrough to your server.

Now connect to your ftp server with a client in PASV (passive) mode. This means that there is not really a data channel opened, but the server will always use a specific port. (Don´t get to technical on this, Im no guru)

You will see the 1,2,3,4,xx,xx again, where xx,xx provides the port number for your ftp session. But since you set your server to specifically port 3456 (with that PassivePorts directive) these two digits will represent a calcultation to that number. Now your client knows to connect on port 3456 and since you set your client to passive, it will try to open this dataport.

Hope this clears the FTP problem a bit for you. I know i was getting a bit technical, but it´s good to know why it doesn´t work. If you want to know exactly why, just google around for FTP firewall issues or, take a look at the FTP-RFC.

It could be I am not entirely correct in all technical terms or the way it works, but as mentioned before, I am no guru. This is merely a description of my interpretation of all the info i found about it.

Good luck, and let me (us) know...
And eeehhhmmm affero???

Satriani's advice is right on the money.

Because FTP uses two ports (a control port [for logins] and a data port [for transfers and 'ls']) forwarding only 9000 though your firewall only works for the control port, not the login port.

The main difference between PASV and PORT FTP modes has to do with where the 'LISTENER' is for the data connection. Because your machine is behind a firewall, no extra 'LISTENTER' can be initialed on your server for the data connection (for ls) because you've not forwarded a port though your firewall for this.

Using PASV mode should fix this, because it tells the FTP server that the listener should be initiated on the client, which WILL be reachable. A listener on a client machine sounds ass-backwards, but it's one way to get around this problem.

Beyond this, Satriani sounds like he's gotten this working before and his advice might be more to the point.

damn! Thought it was gonna work. I agree it has to be a firewall issue cuz I can connect fine internally, same thing is still happening after adding the PassivePorts directive my my proftpd.conf file Any other suggestions? I know my firewall is forwarding stuff properly otherwise it wouldn't allow anyone to connect in the first place.

Okay granny, can you post 2 things for me?

One is the proftpd.conf and second is the firewallrules that apply to your FTP server (Dont need to know the rest of them, hehehehe )

Also, did you set your (external) ftpclient to Passive mode ???

Sat

proftpd.conf file

# This is a basic ProFTPD configuration file (rename it to
# 'proftpd.conf' for actual use. It establishes a single server
# and a single anonymous login. It assumes that you have a user/group
# "nobody" and "ftp" for normal operation and anon.

ServerName "ProFTPD Default Installation"
ServerType standalone
DefaultServer on

# Allow FTP resuming.
# Remember to set to off if you have an incoming ftp for upload.
AllowStoreRestart on

# Port 21 is the standard FTP port.
Port 21
# Umask 022 is a good standard umask to prevent new dirs and files
# from being group and world writable.
Umask 022

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User nobody
Group nogroup

# Normally, we want files to be overwriteable.
<Directory /*>
AllowOverwrite on
</Directory>

# Needed for NIS.
PersistentPasswd off

# Default root can be used to put users in a chroot environment.
# As an example if you have a user foo and you want to put foo in /home/foo
# chroot environment you would do this:
#
# DefaultRoot /home/foo foo

<Global>
DefaultChdir /home/ftppub
AllowForeignAddress on
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores on
AuthAliasOnly off
</Global>
<VirtualHost 192.168.1.210>
Port 9000
PassivePorts 9000 9000
MasqueradeAddress 68.7.214.37
<Anonymous /home/ftppub>
DefaultChdir /home/ftppub
RootLogin off
AnonRequirePassword on
</Anonymous>
AllowForeignAddress on
AllowRetrieveRestart on
AllowStoreRestart on
DeleteAbortedStores on
AuthAliasOnly off
</VirtualHost>



Firewall rules that apply to proftp

service port range 9000 - 9000
IP to forward to 192.168.1.210 (this is the internal IP of the ftp machine)

If you want you can try to hit it, the IP is in the masquerade directive above.

user: tommy
password: linux

ok is the fact that my firewall is blocking stuff because I told it to forward a range of ports that it seems my ftp client is trying to use and now it works (kind of)

It seems for some reason, proftpd is not using passive mode, it's using a random port for the data connection. Can I force it to use passive?

passive mode is set by the FTP client, not by the server. It can either be supported or not supported by a FTP server's config, but wether or not it's turned on during a given test is determined by the Client. For a CLI FTP client, try PASV or QUOTE PASV. For a GUI FTP client look for a 'firewall' tab or checkbox indicating that the session is going to use passive mode.

You've noticed that the port changes all the time. This is why it is impractical to forward these ports though your firewall. passive mode makes these 'random' ports open up on the client end, where (hopefully) there isn't a firewall restriction, and it will allow your data connections to succeed.

SOB! I guess that would probably explain it. Maybe I just wasn't getting it b4, now I do. SERVER CAN'T USE PASSIVE, duh. Yeah, I noticed on the client side, the ports were changing, but this was happening even if the CLIENT was set to passive.

Anyhow, I just configured my firewall to forward a bunch of dynamic ports to my ftp, no biggie, there isn't anything on there that I am worried about being destroyed anyway, just using it as a test setup box.

In summary, from what I can gather, I can set my server to use a specific port for only ftp control, not data correct??? because these are always dynamically allocated. But by using passive on the client, it is SUPPOSED to use the same port (I say supposed to cuz it doesn't on mine)? NEways, thanks for the help fellas. If you can think of anything else that I can try so that client and server ALWAYS use the same ports for all communication, plz lemme know!

Granny: First of all, seperate the passive prot from your default listening port. My guess is, that that won't work.

For example, set this:

Port 9000
PassivePorts 9001 9001

And open appropriate ports on your firewall...
Now, the client will connect on port 9000, and sets up the connection on port 9001. (As said before: FTP needs two! ports to function properly) When the clients orders the server to go into passive mode, the server will send the port specified in passive-ports to the client. ( in this case: 9001 )
So port 9000 is the "command" port and port 9001 is the (passive) data port.

For the rest of it: i just can agree with bentz, he explaines in a few words what i need en entire page for..

I run proftpd for quite some time now, and im still pretty happy with it. However, I do not use the virtual-host option, so I am not too familiar with it. Is it that easy as in your conf file ?

yup that's it in the conf file, of course there are many more options you can set.

Ok, I will try using different port numbers and see if that works! Thanks Sat!