glftpd, SSL/TLS and passive mode

Discuss Applications
Post Reply
User avatar
Basher52
guru
guru
Posts: 928
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

glftpd, SSL/TLS and passive mode

Post by Basher52 »

I don't really know if this is the place to put it since the problem can be some general network problem, but I hope you can cope.

I'm using glftpd v1.31 on RH9 and trying to use secure connection through SSL/TLS... this works fine but when I try to access this ftp from work, through the firewall there, I can't list the content.
I've heard of some friends that to get this working, I don't have to do anything with the glftpd.conf file, but others tell me to add the 'pasv_ports' etc in it.

I've been trying to fix this problem the last 2,3 months but with no luck :(
so I hope someone in here can help me get this working.
I have no idea if the error is in glftpd or in the OS itself...
maybe I missed installing something to get this to work ?(

When I connect using "active" it's all OK, or when I change the glftpd.conf not to use secure connection the passive connection works.

The error is shown below...: (using FlashFXP as client)

[15:22:02] 230 User ****** logged in.
[15:22:02] SYST
[15:22:03] 215 UNIX Type: L8
[15:22:03] REST 100
[15:22:03] 350 Restarting at 100. Send STORE or RETRIEVE to initiate transfer.
[15:22:03] REST 0
[15:22:03] 350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer.
[15:22:04] PWD
[15:22:04] 257 "/" is current directory.
[15:22:04] TYPE A
[15:22:04] 200 Type set to A.
[15:22:04] PROT P
[15:22:05] 200 Protection set to Private
[15:22:05] PASV
[15:22:05] 227 Entering Passive Mode (***,***,**,**,150,118)
[15:22:15] Data Socket Error: Connection timed out
[15:22:15] List Error
[15:22:16] QUIT
[15:22:17] 221- Goodbye
[15:22:17] Logged off: ***************
[15:22:17] 221


/B52, A guy in desperate need for help

User avatar
Basher52
guru
guru
Posts: 928
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 »

UPDATE: I forgot to mention that I use iptables as a firewall and that it may be this that causes the trouble :(

User avatar
Basher52
guru
guru
Posts: 928
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 »

well...newb as I am(kinda)... i always forget the firewll...lol
yep, just had to open up the passive ports in the iptables and all worked great :)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Good job! Sorry none of the rest of us didn't have any suggestions. I wasn't familiar with that daemon and normally I would have checked into it for you but have been really busy the last few days and didn't get a chance.

User avatar
Basher52
guru
guru
Posts: 928
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 »

well...i gotta ask something again about this, but it could even be more of a general question.

i added the port in the FW and i could get in, but now only 1 port is probably used for this passive mode, becouse when i try to connect another, it says something like 'port already in use'

if i use eg. port 1111 as the port for the ftp itself and wanna use 2000 thru 2100 as the passive ports, how do i write this in iptables.

here's an example of how i did this, but dont work :(
(ips' and ports masked)
iptables -t filter -A GLFTPD -s 1.2.3.4 -p tcp --dport glftpd:2100 -j ACCEPT

in the example above, i use glftpd equals port 1900 and want the rest of the ports up to 2100 as the passive ones.
but it seems that only one of the passive ports are being used, and i guess its becouse the line: ... glftpd:2100 ... means that port 1900 AND 2100 can be used. I thought this would mean from 1900 and all ports up to and including 2100.

so the question is... how to make this where i can use port:A and G thru R
if u get my meaning :)

B52

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Actually the ":" does indicate a port range in iptables so the answer must be down another track. Here are some links that might or might not be helpful:

http://www.oclug.on.ca/pipermail/oclug/ ... 08505.html
http://www.redhat.com/docs/errata/RHEL-2.1-Manual/

See the lines for "active ftp" and "passive ftp" in this one:
http://www.linux.ncsu.edu/lug/lectures/ ... les.sh.txt

If you can't get it going I'll set it up here and see what I can come up with.

User avatar
Basher52
guru
guru
Posts: 928
Joined: Wed Oct 22, 2003 5:57 am
Location: .SE

Post by Basher52 »

The last one helped me out, got a few tips on how to set the ports up.
thx man :D

/Yours Trouly Basher52

Post Reply