Re: active ftp over IPv6 to OpenBSD's ftpd not working
On Tue, May 26, 2009 at 08:50:32PM +, Stuart Henderson wrote: On 2009-05-25, Maurice Janssen maur...@z74.net wrote: I have an FTP-server (running OpenBSD 4.5-stable) that is only reachable over IPv6. Passive FTP works fine, but active FTP doesn't seem to work. I run ftpd from rc.conf.local (-DAS6), not through inetd. This fixes it, but I'm not sure whether it's correct. I noticed it's commited to -current, thanks. Any chance this will be commited to 4.4-stable and 4.5-stable? Seems to me it can be applied to those without any problem. Maurice
Re: active ftp over IPv6 to OpenBSD's ftpd not working
On Tue, May 26, 2009 at 08:50:32PM +, Stuart Henderson wrote: On 2009-05-25, Maurice Janssen maur...@z74.net wrote: I have an FTP-server (running OpenBSD 4.5-stable) that is only reachable over IPv6. Passive FTP works fine, but active FTP doesn't seem to work. I run ftpd from rc.conf.local (-DAS6), not through inetd. This fixes it, but I'm not sure whether it's correct. Thanks for fixing it, Stuart. I hope someone can confirm that it's correct. If so, do you think this can be commited to 4.5-stable as well? Thanks. Maurice
Re: active ftp over IPv6 to OpenBSD's ftpd not working
On 2009-05-25, Maurice Janssen maur...@z74.net wrote: I have an FTP-server (running OpenBSD 4.5-stable) that is only reachable over IPv6. Passive FTP works fine, but active FTP doesn't seem to work. I run ftpd from rc.conf.local (-DAS6), not through inetd. This fixes it, but I'm not sure whether it's correct. Index: monitor.c === RCS file: /cvs/src/libexec/ftpd/monitor.c,v retrieving revision 1.18 diff -N -u -p monitor.c --- monitor.c 30 Jun 2008 12:03:51 - 1.18 +++ monitor.c 26 May 2009 20:47:51 - @@ -254,7 +254,7 @@ handle_cmds(void) int err, s, slavequit, serrno, domain; pid_t preauth_slave_pid; size_t len; - struct sockaddr sa; + union sockunion sa; socklen_t salen; char *name, *pw; @@ -364,13 +364,14 @@ handle_cmds(void) bzero(sa, sizeof(sa)); recv_data(fd_slave, sa, salen); - if (sa.sa_len != salen) + if (sa.su_si.si_len != salen) fatalx(monitor received invalid sockaddr len); - if (sa.sa_family != AF_INET sa.sa_family != AF_INET6) + if (sa.su_si.si_family != AF_INET + sa.su_si.si_family != AF_INET6) fatalx(monitor received invalid addr family); - err = bind(s, sa, salen); + err = bind(s, (struct sockaddr *)sa, salen); serrno = errno; if (s = 0)
Re: active ftp over IPv6 to OpenBSD's ftpd not working
On 2009-05-25, Maurice Janssen maur...@z74.net wrote: Hi, I have an FTP-server (running OpenBSD 4.5-stable) that is only reachable over IPv6. Passive FTP works fine, but active FTP doesn't seem to work. I run ftpd from rc.conf.local (-DAS6), not through inetd. The client gets the following error: ftp ls 229 Entering Extended Passive Mode (|||55566|) 150 Opening ASCII mode data connection for '/bin/ls'. total 4 dr-xr-xr-x 3 0 0 512 May 22 08:52 pub 226 Transfer complete. ftp passive Passive mode off. ftp ls 200 EPRT command successful. 421 Service not available, remote server has closed connection. When I temporarily enable IPv4 (kill ftpd and start with -DAS), passive and active FTP work fine over IPv4, but still only passive over IPv6. Is this a bug or feature? I can't seem to find any documentation telling me it is intended behaviour. Thanks, Maurice Works for me. Do you reach it via a firewall that doesn't know how to handle EPRT?
Re: active ftp over IPv6 to OpenBSD's ftpd not working
Stuart Henderson wrote: On 2009-05-25, Maurice Janssen maur...@z74.net wrote: Hi, I have an FTP-server (running OpenBSD 4.5-stable) that is only reachable over IPv6. Passive FTP works fine, but active FTP doesn't seem to work. I run ftpd from rc.conf.local (-DAS6), not through inetd. The client gets the following error: ftp ls 229 Entering Extended Passive Mode (|||55566|) 150 Opening ASCII mode data connection for '/bin/ls'. total 4 dr-xr-xr-x 3 0 0 512 May 22 08:52 pub 226 Transfer complete. ftp passive Passive mode off. ftp ls 200 EPRT command successful. 421 Service not available, remote server has closed connection. When I temporarily enable IPv4 (kill ftpd and start with -DAS), passive and active FTP work fine over IPv4, but still only passive over IPv6. Is this a bug or feature? I can't seem to find any documentation telling me it is intended behaviour. Thanks, Maurice Works for me. Do you reach it via a firewall that doesn't know how to handle EPRT? It also fails (in exactly the same way) when connecting from an ftp-client on the same subnet. The ftp-server has a 'pass out all' statement in pf.conf and tcpdump on pflog0 doesn't show any filtered packets from port 20. The client doesn't see any packets coming from port 20, only the packets related to the control connection (to/from port 21 on the ftp-server). Even with pass in all;pass out all in pf.conf and nothing else, no packets from port 20 arrive on the client. So it looks like it's a problem on the ftp-server, but not pf related. I suppose I'm missing some very simple, but I don't see it. Thanks, Maurice
Re: active ftp over IPv6 to OpenBSD's ftpd not working
On 2009-05-25, Maurice Janssen maur...@z74.net wrote: Stuart Henderson wrote: On 2009-05-25, Maurice Janssen maur...@z74.net wrote: Hi, I have an FTP-server (running OpenBSD 4.5-stable) that is only reachable over IPv6. Passive FTP works fine, but active FTP doesn't seem to work. I run ftpd from rc.conf.local (-DAS6), not through inetd. The client gets the following error: ftp ls 229 Entering Extended Passive Mode (|||55566|) 150 Opening ASCII mode data connection for '/bin/ls'. total 4 dr-xr-xr-x 3 0 0 512 May 22 08:52 pub 226 Transfer complete. ftp passive Passive mode off. ftp ls 200 EPRT command successful. 421 Service not available, remote server has closed connection. When I temporarily enable IPv4 (kill ftpd and start with -DAS), passive and active FTP work fine over IPv4, but still only passive over IPv6. Is this a bug or feature? I can't seem to find any documentation telling me it is intended behaviour. Thanks, Maurice Works for me. Do you reach it via a firewall that doesn't know how to handle EPRT? It also fails (in exactly the same way) when connecting from an ftp-client on the same subnet. The ftp-server has a 'pass out all' statement in pf.conf and tcpdump on pflog0 doesn't show any filtered packets from port 20. Ugh, I'm sorry - I managed to botch that test somehow (I'm thinking probably I typed EPSV not PASS from finger memory - I have to disable EPSV fairly often on v4 servers..) I can indeed replicate it, both run from inetd and standalone. So it looks like it's a problem on the ftp-server, but not pf related. Ok, agreed.
