Date: Fri, 24 Nov 2000 01:56:21 -0500 From: "Simon" <simon@optinet.com> To: "Ryan Thompson" <ryan@sasknow.com> Cc: "freebsd-isp@freebsd.org" <freebsd-isp@FreeBSD.ORG> Subject: Re: proftpd passive weirdness through firewall Message-ID: <20001124065214.3D04437B479@hub.freebsd.org> In-Reply-To: <Pine.BSF.4.21.0011240047090.38633-100000@ren.sasknow.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Go to ftp://ftp.stikman.com/pub/proftpd/ and get latest dev version. 1.2.0rc2 is broken too. Yes, they have a broken version listed for download on their site... what can i say. -Simon On Fri, 24 Nov 2000 00:49:17 -0600 (CST), Ryan Thompson wrote: >Ryan Thompson wrote to Simon: > >> Simon wrote to freebsd-isp@freebsd.org and Ryan Thompson: >> >> > That's a problem with proftpd. You should upgrade to latest release. >> > >> > -Simon >> >> Hmm... >> >> Waiting for a good time of night, I upgraded proftp from 1.2.0pre2 to >> 1.2.0rc2 (from ports), and I see the same results. I wasn't able to dig >> up any better information from proftpd's website, and 1.2.0rc2 does indeed >> look to be the most recent version. >> >> (yes, I remembered to kill and restart the daemon :-) >> >> When I log in, the version is reported as 1.2.0 (as opposed to the >> previous 1.2.0pre2), and the timestamps on the executables are all >> brand new. >> >> Any thoughts? > >I now also get the syslog alert: > >Nov 24 00:47:53 ren proftpd[44637]: no modules loaded for `ftp' service > >As soon as a user is authenticated--never saw that one before. > > > > >> > On Thu, 23 Nov 2000 23:19:04 -0600 (CST), Ryan Thompson wrote: >> > >> > > >> > >Hi all... >> > > >> > >As many admins are aware, configuring an FTP server through a firewall can >> > >be a major pain. It is a pain I thought I had mastered, though :-) My >> > >firewall setup such that I have everything inbound blocked but basic >> > >connectivity, and the protocols I wish to enable, including FTP. >> > >Outgoing connections are allowed to any network on (almost) any port, as >> > >this is not a user machine. >> > > >> > >Now, a few customers have been complaining that passive mode transfers >> > >(and directory listings) do not work, which has enticed me to look into >> > >the problem a bit further. We moved to proftpd from wuftpd a while back, >> > >and the problem seemed to start around that time. >> > > >> > >It appears as though, when initiating a transfer, very low port numbers >> > >are chosen: >> > > >> > >Script started on Thu Nov 23 22:55:46 2000 >> > >Connected to ftp.sasknow.com. >> > >220 ProFTPD 1.2.0pre10 Server (SaskNow Technologies FTP Server) [ftp.sasknow.com] >> > >Name (ftp.sasknow.com:ryan): ryan >> > >331 Password required for ryan. >> > >Password: >> > >230 User ryan logged in. >> > >Remote system type is UNIX. >> > >Using binary mode to transfer files. >> > >ftp> ls >> > >500 EPSV not understood. >> > >227 Entering Passive Mode (207,195,92,131,15,135). >> > >^C >> > >receive aborted. Waiting for remote to finish abort. >> > >ftp> passive >> > >Passive mode: off; fallback to active mode: off. >> > >ftp> ls >> > >200 PORT command successful. >> > >150 Opening ASCII mode data connection for file list. >> > > >> > >< normal ls output > >> > > >> > >226 Transfer complete. >> > >ftp> quit >> > >221 Goodbye. >> > > >> > >Script done on Thu Nov 23 22:56:15 2000 >> > > >> > > >> > >The following is a few snippets of my firewall configuration (not the >> > >whole thing, obviously): >> > > >> > > >> > ># Basic connectivity rules ==================================================== >> > > >> > ># Allow established connections >> > >$fwcmd add 600 pass tcp from any to any established >> > > >> > ># Allow outgoing connections originating from our subnet only >> > >$fwcmd add 700 pass tcp from ${sasknow} to any setup >> > > >> > ># Explicitly block ICMP redirects >> > ># $fwcmd add 1000 deny icmp from any to any icmptype 5 >> > > >> > ># Allow all other ICMP >> > >$fwcmd add 1100 pass icmp from any to any >> > > >> > ># Open default traceroute port on udp only. >> > ># The default port range starts at 33434 >> > >$fwcmd add 1200 pass udp from any to any 33434-33500 >> > > >> > ># Individual protocol access ================================================== >> > > >> > ># Completely open up standard FTP >> > >$fwcmd add 9900 pass tcp from any 20 to any >> > >$fwcmd add 9901 pass udp from any 20 to any >> > >$fwcmd add 9950 pass tcp from any to ${ftp} 21 setup >> > > >> > > >> > ># More inbound protocols allowed.... >> > > >> > > >> > ># Everything else is denied by default! >> > > >> > >So, anything with a source port of 20 is let through, and control >> > >connections can be established on port 21. Standard FTP, therefore, works >> > >fine. Many clients nowadays have passive mode on by default, though (or >> > >are behind firewalls themselves), and it's passive mode that causes grief! >> > >Since all outbound connections are explicitly allowed by rule 0700, why >> > >isn't passive mode functional? From my testing, this problem spans more >> > >than a dozen different clients on several different networks (many of >> > >which are not restricted by a firewall themselves). Disabling the >> > >firewall rules, here, of course allows passive mode to work perfectly from >> > >anywhere. >> > > >> > >I've tried playing with the "passive ports" directive in >> > >/usr/local/etc/ftpaccess, and explicitly opening up those ports for >> > >inbound access, but to no avail. It seems a little strange to have to do >> > >this, anyway. >> > > >> > >Thanks for any suggestions! >> > > >> > >- Ryan >> > > >> > >-- >> > > Ryan Thompson <ryan@sasknow.com> >> > > Network Administrator, Accounts >> > > Phone: +1 (306) 664-1161 >> > > >> > > SaskNow Technologies http://www.sasknow.com >> > > #106-380 3120 8th St E Saskatoon, SK S7H 0W2 >> > > >> > > >> > > >> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >> > >with "unsubscribe freebsd-isp" in the body of the message >> > > >> > >> > >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-isp" in the body of the message >> > >> >> > >-- > Ryan Thompson <ryan@sasknow.com> > Network Administrator, Accounts > Phone: +1 (306) 664-1161 > > SaskNow Technologies http://www.sasknow.com > #106-380 3120 8th St E Saskatoon, SK S7H 0W2 > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001124065214.3D04437B479>