PDA

View Full Version : pure-ftp - ftpes connection problem


eko_taas
10th April 2011, 12:52
My H/W-firewall (ADSL-modem) has all ports open for outgoing, limited to incomming (as specified somewhere for ISPConfig3-documents)....

When using Filezalle/ftp, everything looks / works OK.
....
Command: PASV
Response: 227 Entering Passive Mode (114,xxx,yyy,zzz,107,125)
Command: STOR 5.jpg
Response: 150 Accepted data connection
....

When connecting from internet (filezalla, using ftpes) I'll get error just when file-tree should be build):
....
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (192,168,0,xxx,231,106)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: GnuTLS error -53: Error in the push function.
Error: Connection timed out
Error: Failed to retrieve directory listing

Looking from Webmin, Linux Firewall / Rules file /etc/iptables.up.rules
# Generated by iptables-save v1.4.8 on Sun Apr 10 08:28:17 2011
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Sun Apr 10 08:28:17 2011
# Generated by iptables-save v1.4.8 on Sun Apr 10 08:28:17 2011
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Sun Apr 10 08:28:17 2011
# Generated by iptables-save v1.4.8 on Sun Apr 10 08:28:17 2011
*filter
:INPUT ACCEPT [5769:714402]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [5599:1120142]
:fail2ban-courierimap - [0:0]
:fail2ban-courierpop3 - [0:0]
:fail2ban-courierpop3s - [0:0]
:fail2ban-pureftpd - [0:0]
:fail2ban-roundcube - [0:0]
:fail2ban-sasl - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-webmin-auth - [0:0]
-A INPUT -p tcp -m multiport --dports 25 -j fail2ban-sasl
-A INPUT -p tcp -m multiport --dports 80,8080 -j fail2ban-roundcube
-A INPUT -p tcp -m multiport --dports 143 -j fail2ban-courierimap
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -p tcp -m multiport --dports 21 -j fail2ban-pureftpd
-A INPUT -p tcp -m multiport --dports 995 -j fail2ban-courierpop3s
-A INPUT -p tcp -m multiport --dports 10000 -j fail2ban-webmin-auth
-A INPUT -p tcp -m multiport ! --dports 110:0 -j fail2ban-courierpop3
-A fail2ban-courierimap -j RETURN
-A fail2ban-courierpop3 -j RETURN
-A fail2ban-courierpop3s -j RETURN
-A fail2ban-pureftpd -j RETURN
-A fail2ban-roundcube -j RETURN
-A fail2ban-sasl -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-webmin-auth -j RETURN
COMMIT
# Completed on Sun Apr 10 08:28:17 2011


What could be wrong? Both seems to be passive / 2nd irregular port ....

I don't want to use ftp (only), when connecting over the internet (both connections works on intranet)

falko
11th April 2011, 10:13
Did you try both active and passive transfers in your FTP client?

eko_taas
15th April 2011, 17:30
Now back to Intranet (behind 2nd router inside 1st HW-router).

filezilla/ftpes (passive) (intra)
....
200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (192,xxx,xxx,xxx,110,49)
Command: MLSD
Response: 150 Accepted data connection
Response: 226-Options: -a -l
Response: 226 9 matches total
Status: Directory listing successful

filezilla/ftpes (active) (intra) (ends up to passive mode as well)
....
Response: 200 TYPE is now 8-bit binary
Command: PORT 192,xxx,yy,yy,131,214
Response: 500 I won't open a connection to 192.xxx.yy.yy (only to 192.xxx.xxx.zzz)
Command: PASV
Response: 227 Entering Passive Mode (192,xxx,xxx,xxx,194,102)
Command: MLSD
Response: 150 Accepted data connection
Response: 226-Options: -a -l
Response: 226 9 matches total
Status: Directory listing successful

Now when trying with laptop/active/www (www via N900/JoikuSpot WLAN) similar 500-error occurs. Must be that JoukuSpot (with NAT) stops incomming connection.

Passive mode not working as incoming ports closed (from www)

Thanks for leading me to RC, I will try to limit ports for passive modes and open same ports on HW-router.

eko_taas
16th April 2011, 08:32
Tried to google to change to fix pure-ftpd passive ports (to open the same in HW-router).

Found hit which looked good:
http://download.pureftpd.org/pub/pure-ftpd/doc/FAQ
* Firewalling
-> My FTP server is behind a firewall. What ports should I open?
...
Then, run pure-ftpd with the '-p' switch followed by the range configured in
your firewall. Example: /usr/local/sbin/pure-ftpd -p 50000:50400 &
...

This file does not exist
# /usr/local/sbin/pure-ftpd -p 50000:50400 &
[1] 22653
xxxx# bash:# bash: /usr/local/sbin/pure-ftpd: No such file or directory


Only place I find same name of file is on /etc/pam.d/pure-ftpd (text file!). Gives error as expected...
/etc/pam.d# ./pure-ftpd -p 50000:50400 &
[1] 22380
xxxxx:/etc/pam.d# bash: ./pure-ftpd: Permission denied


Anyone with good/better ideas? Also other google-links left me blind :confused:

falko
16th April 2011, 12:13
Which distribution do you use?

eko_taas
16th April 2011, 12:33
Which distribution do you use?

Debian 6 Squeeze

ISPConfig3 Installation as per http://www.howtoforge.com/perfect-server-debian-squeeze-with-bind-and-courier-ispconfig-3 (except mail-server)

and http://www.howtoforge.com/easy-roundcube-over-ssl-and-webmin-with-fail2ban-for-ispconfig-3-on-debian-squeeze
(Note! Webmin used only for observation, reboot, auto-alarms)

falko
17th April 2011, 23:51
Try this:
echo "50000:50400" > /etc/pure-ftpd/conf/PassivePortRange
/etc/init.d/pure-ftpd-mysql restart

eko_taas
18th April 2011, 18:29
# echo "50000:50400" > /etc/pure-ftpd/conf/PassivePortRange
# /etc/init.d/pure-ftpd-mysql restart
Restarting ftp server: /usr/sbin/pure-ftpd-wrapper: Invalid configuration file /etc/pure-ftpd/conf/PassivePortRange: "50000:50400" not two numbers
#

:eek:

till
18th April 2011, 18:35
Please see ISPConfig FAQ on how to set the passive port range:

http://www.faqforge.com/linux/controlpanels/ispconfig3/how-to-set-the-passiveportrange-in-pure-ftpd-on-denian-and-ubuntu-linux/

the numbers are separated by a space and not :

eko_taas
18th April 2011, 20:03
Thanks, space made by day....

now ftpd starts like a beauty
# /etc/init.d/pure-ftpd-mysql restart
Restarting ftp server: Running: /usr/sbin/pure-ftpd-mysql-virtualchroot -l mysql:/etc/pure-ftpd/db/mysql.conf -l pam -u 1000 -H -D -8 UTF-8 -p 50000:50400 -A -Y 1 -b -E -O clf:/var/log/pure-ftpd/transfer.log -B
#

Also made 50000:50400 port-forward on HW-router...

Now working same way from intra and www-side, happy even after :D