FTP Server Help

Discuss Networking
Post Reply
Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

FTP Server Help

Post by Copperhead »

I just recently installed ProFTPd on my Red Hat machine tonight, and I am having a small problem. I can connect to the FTP server on my local machine, but I cannot seem to access it outside of my LAN. I can connect fine, but when I run `ls`, it says "Entering Passive Mode for data transfer" and then hangs for a few minutes before timing out and closing the connetion. I have ports 0 through 80 forwarded on my router and I am using both TCP and UDP. Could it be something with the firewall? Am I using the right protocols?

Any help would be greatlly appreciated...

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Sounds like the UDP data channel is getting lost after the initial connection via TCP but I thought passive mode usually solves this. Is it trying active mode first and then falling back to passive or is the initial attempt using passive mode. Might try forcing active mode. Also are you running it as a daemon or are you starting it from xinetd?
Last edited by Void Main on Tue Oct 28, 2003 6:06 pm, edited 1 time in total.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead »

Thanks Void...

I switched off UDP in my router and used active mode, which seems to work fine. However, still no luck at getting it to work with passive mode. When I tried to connect before, I just used ftp from the command line, which is automatically set to passive mode. That is still not working.

As for your second question, I have ProFTPd running from standalone mode. Should I run it from inetd?

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Definitely sounds like a firewall issue. What model is your router and what do you mean by "turned UDP off"? I believe normally the authentication is performed via TCP and then a data connection back to the client is established via UDP (faster as packets can just be blasted).

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead »

The router is a Linksys BEFSX41 Fast Ethernet Cable/DSL router. It is known as one of those "blue boxes" that has an HTML page as its interface. In the "forwarding" section, you can do port forwarding if you disable DHCP. When you go to "forwarding" there is a colum where you input the IP of the machine that you want to do port forwarding on, a colum to input what ports you want to forward, and then a checkbox under a TCP and UDP colum. I unchecked UDP and used active mode on the FTP client machine and it worked. When I go back to passive mode, it still doesn't work. I used gFTP as the client, as I don't know how/if you can use ftp on the command line in active mode.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Depends on the ftp client you are using from the command line. Most ftp clients list their commands (which have a fairly standard base set) by typing the "?" on their command line. For instance, mine has a "passive" command which acts as a toggle each time you type it, or you can use the "-p" on the command line (I believe it defaults to active, or non-passive mode). I will do some searching and see if there is anything special about the LinkSys configuration.

I forgot, you may also have to forward port 20 (ftp-data) in addition to port 21. Does this thread help at all?:

http://www-tcsn.experts-exchange.com/Ne ... 39110.html
Last edited by Void Main on Tue Oct 28, 2003 6:33 pm, edited 1 time in total.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead »

Thanks buddy..

I am scouring google right now, and reading through the documentation that came with the router. I don't get it as to why it would work with active mode and not passive. I thought passive mode was now the default for ftp snd sftp connections?

Thanks for your help.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Ooops, reread my previous post. I added some information to the end of it. Also, sftp has nothing to do with ftp, sftp is ssh in disguise (which is 1000 times better than ftp for most things).

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead »

Still no effect. It will only work in non-passive mode. I forwarded port 20, as well as port 21, but that and checking UDP still had no effect.

Thanks for all of your help though. I am baffled by this, and I can't figure out why it would only work in non-passive mode.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

Here's an interesting article:

http://www.linksysftp.org/troubleshooting.php

It is somewhat LinkSys specific but also mentions a proftpd configuration option that may need to be set.

Copperhead
scripter
scripter
Posts: 83
Joined: Wed May 14, 2003 1:12 am
Location: Los Angeles, CA, USA

Post by Copperhead »

After looking at that article, it seems that there is no way that I am going to be able to use PASV mode due to my dynamic IP address. I have a resolvable domain name, courtesy of dyndns.org, but when I inputed the MasqueradeAddress directive, it didn't work in PASV mode.

So, my question is, since I am forced to use PORT mode (unless I buy a new router), is exactly how safe/unsafe is PORT mode? This machine is only going to be hosting a few sites, none of which are high traffic. I read in the ftp man page that PASV mode is going to eventually become the default mode for ftp due to security reasons, but it didn't exactly state what those reasons are.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main »

A good article on the differences between Active/Passive FTP:

http://slacksite.com/other/ftp.html

The article doesn't talk about security but I would guess one would be more susceptible to spoofing than the other, just speculating. I don't know why the LinkSys box is having such a hard time with this. I don't believe it should. Maybe a firmware upgrade will help? Or if it is specific to LinkSys then you could get another brand (or set up a Linux or BSD firewall, I use Linux of course).

Post Reply