Passive ftp problem: 425 error

[Doug Milam]

Greetings,

I'm having trouble getting FTP to work in passive mode. (I've set the machine 
up as an FTP server).

I can connect in active mode, with a PORT connection, but I'm seeing a 425 
error (can't open passive connection; can't assign requested address) for 
passive attempts.

The FTP server is 'self-protected' by pf and I've got one high port assigned in 
addition to 21, of course. I chose to restrict the high port to one port rather 
than a range. I've also set this in sysctl.conf.

The machine also sits on a LAN behind a router which currently only allows in 
port 21, but allows out everything.

Suggestions welcome! 


--
Be aware. Stay present. Speak honestly.
   
-
Get easy, one-click access to your favorites.  Make Yahoo! your homepage.

Re: Passive ftp problem: 425 error

[Firas Kraiem]

Hi

Doug Milam wrote:
 The machine also sits on a LAN behind a router which currently only allows in 
 port 21, but allows out everything.
 
 Suggestions welcome! 
 
 

Tried allowing in the high port used for passive connections ?

Firas


-- 
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Re: Passive ftp problem: 425 error

[Calomel]

Try using the ftp-proxy daemon. The proxy will take care of what ports need
to be open and close them when they are not needed. It will make your life
easier.

Ftp-proxy how to (forward and reverse)
http://calomel.org/ftp_proxy.html

--
 Calomel @ http://calomel.org
 Open Source Research and Reference


On Thu, Nov 29, 2007 at 01:20:42PM -0800, Doug Milam wrote:
Greetings,

I'm having trouble getting FTP to work in passive mode. (I've set the machine 
up as an FTP server).

I can connect in active mode, with a PORT connection, but I'm seeing a 425 
error (can't open passive connection; can't assign requested address) for 
passive attempts.

The FTP server is 'self-protected' by pf and I've got one high port assigned 
in addition to 21, of course. I chose to restrict the high port to one port 
rather than a range. I've also set this in sysctl.conf.

The machine also sits on a LAN behind a router which currently only allows in 
port 21, but allows out everything.

Suggestions welcome! 


--
Be aware. Stay present. Speak honestly.
   
-
Get easy, one-click access to your favorites.  Make Yahoo! your homepage.

FTP problem

[Der Engel]

Hi,

Having this ftp problem with a 3.9 box, the box has one external
interface and two internal interfaces each one for different subnets,
the PF conf is very simple, my problem is after a while clients can't
access ftp, in either subnet, rebooting the box fixes the problem but
then after a while happens again, have no idea on how to fix without
rebooting, was wondering if anyone has had this problem? Maybe some
issue in the new ftp-proxy? Is there a way to restart ftp-proxy
without rebooting the box?

Thanks.

Re: FTP problem

[Der Engel]

Ok, i ran ftp-proxy command and ftp access started working again for
the clients, that solves the rebooting part :)

my pf.conf:

# macros
ext_if=fxp0
int_if=xl0
int_if2=bge0
both={xl0 bge0}

tcp_services={ 22 80 113 }
icmp_types=echoreq

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) - ($ext_if:0)
nat-anchor ftp-proxy/*
rdr-anchor ftp-proxy/*

rdr pass on $both proto tcp to port ftp - 127.0.0.1 port 8021

# filter rules
block in

pass out keep state

anchor ftp-proxy/*
antispoof quick for { lo $int_if  $int_if2}

pass in on $ext_if inet proto tcp from any to ($ext_if) \
  port $tcp_services flags S/SA keep state

pass in on $ext_if inet proto tcp from any to $comp3 port 80 \
   flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass quick on $int_if
pass quick on $int_if2


On 11/3/06, Tito Mari Francis Escaqo [EMAIL PROTECTED] wrote:

Maybe you should show your pf.conf so you can be given more accurate
advise. Thanks!

On 11/4/06, Der Engel [EMAIL PROTECTED] wrote:
 Hi,

 Having this ftp problem with a 3.9 box, the box has one external
 interface and two internal interfaces each one for different subnets,
 the PF conf is very simple, my problem is after a while clients can't
 access ftp, in either subnet, rebooting the box fixes the problem but
 then after a while happens again, have no idea on how to fix without
 rebooting, was wondering if anyone has had this problem? Maybe some
 issue in the new ftp-proxy? Is there a way to restart ftp-proxy
 without rebooting the box?

 Thanks.




--
Tito Mari Francis H. Escaqo
Computer Engineer and Free Software Proponent

Re: Ftp problem

[Michael Schmidt]

Szymon wrote:


PC!l AndrC!s napisaE(a):


Hello Misc!
I have a problem about ftp connections.
[...]
I can connect to the server from my router but can't from the other 
machines behind the router. I tried behind my neighbour's wireless 
router to it did the same. My ftp client message was:

Data connection timed out.
Falling back to PORT instead of PASV mode.
List failed.
I think it means that the client connected the server but it couldn't 
list the directory.



http://www.bsdguru.org/dyskusja/viewtopic.php?t=11593



Perhaps it is not the same problem or effect as yours, but I have had 
situations where it was only necessary to issue a epsv off command 
(more actual ftp clients know this) directly after logon and then 
directory listing was possible, without using ftp-proxy.


--
Michael Schmidt MIRRORS:
DJGPP   ftp://ftp.fh-koblenz.de/pub/DJGPP/
Ghostscript ftp://ftp.fh-koblenz.de/pub/Ghostscript/

Re: Ftp problem

[Szymon]

PC!l AndrC!s napisaE(a):

Hello Misc!
I have a problem about ftp connections.
I made a server behind a firewall and i read the pf docs about the 
configuration.

My external pf conf file looks like that:
ext_if=dc0
int_if=dc1
ftp_server=10.5.5.3
nat on $ext_if from $int_if:network to any - ($ext_if)

rdr on dc0 proto tcp from any to any port 80 - 10.5.5.3

rdr on dc0 proto {udp,tcp} from any to any port 143 - 10.5.5.3
rdr on dc0 proto {udp,tcp} from any to any port 993 - 10.5.5.3
rdr on dc0 proto tcp from any to any port 25 - 10.5.5.3
rdr on dc0 proto tcp from any to any port 5432 - 10.5.5.3
rdr on dc0 proto tcp from any to any port 8821 - 10.5.5.1
rdr on dc0 proto tcp from any to any port 61 - 10.5.5.4
rdr on dc0 proto tcp from any to any port 2819 - 10.5.5.4 port 2818
rdr on dc0 proto tcp from any to any port 2820 - 10.5.5.3 port 2818
rdr on dc0 proto tcp from any to any port 21 - $ftp_server port 21
rdr on $ext_if proto tcp from any to any port 49152:65535 - 
$ftp_server port 49152:65535
pass in quick on $ext_if proto tcp from any to $ftp_server port 21 
keep state
pass in quick on $ext_if proto tcp from any to $ftp_server port  
49152 keep state
pass out quick on $ext_if proto tcp from any to $ftp_server port  
49152 keep state
pass out quick on $int_if proto tcp from any to $ftp_server port 21 
keep state



I can connect to the server from my router but can't from the other 
machines behind the router. I tried behind my neighbour's wireless 
router to it did the same. My ftp client message was:

Data connection timed out.
Falling back to PORT instead of PASV mode.
List failed.
I think it means that the client connected the server but it couldn't 
list the directory.

I can connect and list directories other ftp servers from anywhere.
Are there any other server side (pf side) configurations?

Thanks a lot for your help and sorry for that stupid question.


http://www.bsdguru.org/dyskusja/viewtopic.php?t=11593

Ftp problem

[Pál András]

Hello Misc!
I have a problem about ftp connections.
I made a server behind a firewall and i read the pf docs about the 
configuration.

My external pf conf file looks like that:
ext_if=dc0
int_if=dc1
ftp_server=10.5.5.3
nat on $ext_if from $int_if:network to any - ($ext_if)

rdr on dc0 proto tcp from any to any port 80 - 10.5.5.3

rdr on dc0 proto {udp,tcp} from any to any port 143 - 10.5.5.3
rdr on dc0 proto {udp,tcp} from any to any port 993 - 10.5.5.3
rdr on dc0 proto tcp from any to any port 25 - 10.5.5.3
rdr on dc0 proto tcp from any to any port 5432 - 10.5.5.3
rdr on dc0 proto tcp from any to any port 8821 - 10.5.5.1
rdr on dc0 proto tcp from any to any port 61 - 10.5.5.4
rdr on dc0 proto tcp from any to any port 2819 - 10.5.5.4 port 2818
rdr on dc0 proto tcp from any to any port 2820 - 10.5.5.3 port 2818
rdr on dc0 proto tcp from any to any port 21 - $ftp_server port 21
rdr on $ext_if proto tcp from any to any port 49152:65535 - $ftp_server 
port 49152:65535
pass in quick on $ext_if proto tcp from any to $ftp_server port 21 keep 
state
pass in quick on $ext_if proto tcp from any to $ftp_server port  49152 
keep state
pass out quick on $ext_if proto tcp from any to $ftp_server port  49152 
keep state
pass out quick on $int_if proto tcp from any to $ftp_server port 21 keep 
state



I can connect to the server from my router but can't from the other 
machines behind the router. I tried behind my neighbour's wireless 
router to it did the same. My ftp client message was:

Data connection timed out.
Falling back to PORT instead of PASV mode.
List failed.
I think it means that the client connected the server but it couldn't 
list the directory.

I can connect and list directories other ftp servers from anywhere.
Are there any other server side (pf side) configurations?

Thanks a lot for your help and sorry for that stupid question.

--
--
ANDRAS PAL D i g i t a l Influence
E-mail: [EMAIL PROTECTED] Hungary
Web:http://www.digitalinfluence.hu
http://www.fpower.hu  
http://www.ifce.hu

Re: Ftp problem

[Nils.Reuvers]

What do your pflog say? Try tcpdump on both interfaces and see what's going on. 
Also, you might want to pickup some reading on ftp-proxy(8) (reversed mode -R).

I run ftp-proxy like this:
ftp-proxy -R 192.168.3.2 -m 15000 -M 16000 -r

And my pf looks like this:
nat on $ext_if from 192.168.3.0/24 to any - ($ext_if)

block log all

#Traffic must be allowed to pass the loopback interface
pass quick on lo0 all

#FTP server
pass in log quick on $ext_if proto tcp from any to $ext_ip port 21 flags S/SA 
keep state
pass in log quick on $ext_if proto tcp from any to $ext_ip port 15000:16000 
flags S/SA keep state

Nils

-Original Message-
From: Pal Andras [mailto:[EMAIL PROTECTED] 
Sent: dinsdag 21 maart 2006 19:32
To: misc
Subject: Ftp problem

Hello Misc!
I have a problem about ftp connections.
I made a server behind a firewall and i read the pf docs about the 
configuration.
My external pf conf file looks like that:
ext_if=dc0
int_if=dc1
ftp_server=10.5.5.3
nat on $ext_if from $int_if:network to any - ($ext_if)

rdr on dc0 proto tcp from any to any port 80 - 10.5.5.3

rdr on dc0 proto {udp,tcp} from any to any port 143 - 10.5.5.3 rdr on dc0 
proto {udp,tcp} from any to any port 993 - 10.5.5.3 rdr on dc0 proto tcp from 
any to any port 25 - 10.5.5.3 rdr on dc0 proto tcp from any to any port 5432 
- 10.5.5.3 rdr on dc0 proto tcp from any to any port 8821 - 10.5.5.1 rdr on 
dc0 proto tcp from any to any port 61 - 10.5.5.4 rdr on dc0 proto tcp from any 
to any port 2819 - 10.5.5.4 port 2818 rdr on dc0 proto tcp from any to any 
port 2820 - 10.5.5.3 port 2818 rdr on dc0 proto tcp from any to any port 21 - 
$ftp_server port 21 rdr on $ext_if proto tcp from any to any port 49152:65535 
- $ftp_server port 49152:65535 pass in quick on $ext_if proto tcp from any to 
$ftp_server port 21 keep state pass in quick on $ext_if proto tcp from any to 
$ftp_server port  49152 keep state pass out quick on $ext_if proto tcp from 
any to $ftp_server port  49152 keep state pass out quick on $int_if proto tcp 
from any to $ftp_server port 21 keep state


I can connect to the server from my router but can't from the other machines 
behind the router. I tried behind my neighbour's wireless router to it did the 
same. My ftp client message was:
Data connection timed out.
Falling back to PORT instead of PASV mode.
List failed.
I think it means that the client connected the server but it couldn't list the 
directory.
I can connect and list directories other ftp servers from anywhere.
Are there any other server side (pf side) configurations?

Thanks a lot for your help and sorry for that stupid question.

--
--
ANDRAS PAL D i g i t a l Influence
E-mail: [EMAIL PROTECTED] Hungary
Web:http://www.digitalinfluence.hu
 http://www.fpower.hu  
 http://www.ifce.hu



=
A disclaimer applies to this email and any attachments. 
Refer to http://www.sparkholland.com/emaildisclaimer for the full text of this 
disclaimer.