Re: [SLUG] ftp client recomendations ?
On Fri, August 21, 2009 1:54 pm, Matthew Hannigan wrote: On Thu, Aug 20, 2009 at 11:03:25AM +1000, Voytek Eymont wrote: H. Does it have the nf_nat_ftp and nf_conntrack_ftp modules loaded, too? Look in /etc/sysconfig/iptables-config for that. thanks, no modules specfied so I should add IPTABLES_MODULES=nf_nat_ftp nf_conntrack_ftp yes, I think so, but if you use the gui and tick ftp it will do the needful for you. Matt, thanks I only have ssh access to it Bottom line, ftp is a pretty firewall un-friendly protocol. I'd recommend sftp (i.e. the module/feature of ssh) instead. but, if command line ftp client works with no issues, doesn't that exclude firewall on the server ? Maybe. Is the command line client ftp being done from the same machine? It also depends on whether it's using passive or not. The default might change from gui to cli - and even version to version each other. yes, same machine coincidentally, I was just browsing through an old 'Firewall' book, where the 'issues' with FTP are discussed, along the lines that you and others here have pointed out -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
On Fri, August 21, 2009 1:54 pm, Matthew Hannigan wrote: On Thu, Aug 20, 2009 at 11:03:25AM +1000, Voytek Eymont wrote: so I should add IPTABLES_MODULES=nf_nat_ftp nf_conntrack_ftp yes, I think so, but if you use the gui and tick ftp it will do the needful for you. I just added this: IPTABLES_MODULES=ip_nat_ftp and, Filezilla seems to connect in 'Active' mode is that a reasonable choice ? -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
On Thu, Aug 20, 2009 at 11:03:25AM +1000, Voytek Eymont wrote: On Thu, August 20, 2009 10:37 am, Matthew Hannigan wrote: On Wed, Aug 19, 2009 at 11:18:48AM +1000, Daniel Pittman wrote: /etc/sysconfig/iptables H. Does it have the nf_nat_ftp and nf_conntrack_ftp modules loaded, too? Look in /etc/sysconfig/iptables-config for that. Matt, thanks, no modules specfied so I should add IPTABLES_MODULES=nf_nat_ftp nf_conntrack_ftp yes, I think so, but if you use the gui and tick ftp it will do the needful for you. Bottom line, ftp is a pretty firewall un-friendly protocol. I'd recommend sftp (i.e. the module/feature of ssh) instead. but, if command line ftp client works with no issues, doesn't that exclude firewall on the server ? Maybe. Is the command line client ftp being done from the same machine? It also depends on whether it's using passive or not. The default might change from gui to cli - and even version to version each other. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
On Wed, Aug 19, 2009 at 11:18:48AM +1000, Daniel Pittman wrote: . . . /etc/sysconfig/iptables H. Does it have the nf_nat_ftp and nf_conntrack_ftp modules loaded, too? Voytek, Look in /etc/sysconfig/iptables-config for that. [...] Command:PASV Response:227 Entering Passive Mode (116,197,145,51,175,75). At this point the server *should* be expecting a connection from the client, on TCP/44875, but I bet the firewall isn't letting that through. Check your firewall logs first, to see if you have a record of blocking that connection or not. what log to look at? I don't know, on RedHat. I think they had /var/log/firewall or something? They'll be in /var/log/messages Bottom line, ftp is a pretty firewall un-friendly protocol. I'd recommend sftp (i.e. the module/feature of ssh) instead. Matt -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
On Thu, August 20, 2009 10:37 am, Matthew Hannigan wrote: On Wed, Aug 19, 2009 at 11:18:48AM +1000, Daniel Pittman wrote: /etc/sysconfig/iptables H. Does it have the nf_nat_ftp and nf_conntrack_ftp modules loaded, too? Look in /etc/sysconfig/iptables-config for that. Matt, thanks, no modules specfied so I should add IPTABLES_MODULES=nf_nat_ftp nf_conntrack_ftp - IPTABLES_MODULES= IPTABLES_MODULES_UNLOAD=yes IPTABLES_SAVE_ON_STOP=no IPTABLES_SAVE_ON_RESTART=no IPTABLES_SAVE_COUNTER=no IPTABLES_STATUS_NUMERIC=yes I don't know, on RedHat. I think they had /var/log/firewall or something? They'll be in /var/log/messages Bottom line, ftp is a pretty firewall un-friendly protocol. I'd recommend sftp (i.e. the module/feature of ssh) instead. but, if command line ftp client works with no issues, doesn't that exclude firewall on the server ? the ftpd and fwall have been unmodified pretty well since 1st installed -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
2009/8/20 Voytek Eymont li...@sbt.net.au: Bottom line, ftp is a pretty firewall un-friendly protocol. I'd recommend sftp (i.e. the module/feature of ssh) instead. but, if command line ftp client works with no issues, doesn't that exclude firewall on the server ? the ftpd and fwall have been unmodified pretty well since 1st installed Close. The main possible difference I can see is the use of passive connections - could be that one of them uses them and the other doesn't and that could make the whole difference. Try to make the clients more verbose, or sniff the traffic with Wireshark (use follow TCP connection to get a very easy-to-read trace of the command stream). Cheers, --Amos -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
On Fri, August 14, 2009 12:54 pm, Daniel Pittman wrote: Voytek Eymont li...@sbt.net.au writes: Daniel, thanks So, when the user tries to connect, what state are the relevant sockets at the client and server end? My guess is the client is trying to connect to the server, but the server firewall is blocking the (passive FTP) connection. how to assess, netstat --? Command:PORT 192,168,97,49,226,65 Response:500 Illegal PORT command That isn't a good start: the client asked the server to connect to a private IP address (192.168.97.49) with active FTP. Behind NAT like that the client should either improve their firewall, or disable active FTP entirely. server has like: /etc/sysconfig/iptables ... -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT ... Command:PASV Response:227 Entering Passive Mode (116,197,145,51,175,75). At this point the server *should* be expecting a connection from the client, on TCP/44875, but I bet the firewall isn't letting that through. Check your firewall logs first, to see if you have a record of blocking that connection or not. what log to look at? I see this in messages: Aug 19 09:55:34 proftpd[3851]: bilby (:::121.217.999.999[:::121.21 7.231.228]) - FTP session opened. Aug 19 09:55:34 proftpd(pam_unix)[3851]: session opened for user xx by (uid=0) Aug 18 18:55:34 proftpd[3851]: bilby (:::121.217.999.999[:::121.21 7.231.228]) - Preparing to chroot to directory '/home/xx' -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
Voytek Eymont li...@sbt.net.au writes: On Fri, August 14, 2009 12:54 pm, Daniel Pittman wrote: Voytek Eymont li...@sbt.net.au writes: So, when the user tries to connect, what state are the relevant sockets at the client and server end? My guess is the client is trying to connect to the server, but the server firewall is blocking the (passive FTP) connection. how to assess, netstat --? Yeah, or tcpdump. Command:PORT 192,168,97,49,226,65 Response:500 Illegal PORT command That isn't a good start: the client asked the server to connect to a private IP address (192.168.97.49) with active FTP. Behind NAT like that the client should either improve their firewall, or disable active FTP entirely. server has like: /etc/sysconfig/iptables H. Does it have the nf_nat_ftp and nf_conntrack_ftp modules loaded, too? [...] Command:PASV Response:227 Entering Passive Mode (116,197,145,51,175,75). At this point the server *should* be expecting a connection from the client, on TCP/44875, but I bet the firewall isn't letting that through. Check your firewall logs first, to see if you have a record of blocking that connection or not. what log to look at? I don't know, on RedHat. I think they had /var/log/firewall or something? Anyway, what you are after, specifically, is to find out if the connection above was blocked by the firewall or not. (...and if your firewall rules don't log blocked packets there will be *no* record of that. ;) Regards, Daniel -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons Looking for work? Love Perl? In Melbourne, Australia? We are hiring. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
I think the problem is caused by a lack of a keep-alive process. Filezilla v2.x had this, but it seemed to disappear in v3. However, the current version (3.2.7) is promoted as having this feature - http://filezilla-project.org/client_features.php NOTE: there is a linux version, too although I haven't used it. I've only installed 3.2.7 today, so can't comment on the effectiveness of the keep-alive. I still recommend Filezilla - I use it at work and it's never let me down. Pete Marghanita da Cruz wrote: Voytek Eymont wrote: what is a good ftp client for windoze ? From memory, which could be faulty, I used ftppro on Win95. It still seems to be around. http://www.ftppro.com/ Does anyone have recommendations for FTP clients for Linux? I use pftp at the command line...but others prefer something prettier. Marghanita I have a user with Filezilla, since he moved ISP, his Filezilla times out with my ProFTPd on Centos (but, it worked till now with the former ISP) googling brings similar issues elsewhere; increasing timeout in Filezilla didn't help I can log to the ProFTPd from command line, and, upload with no issues I suspect the issue is with Filezilla rather than at the ProFTPd end ? --- Status:Resolving IP-Address for domain.com.au Status:Connecting to 111.222.333.444:21... Status:Connection established, waiting for welcome message... Response:220 FTP Server ready. Command:USER domain.com.au Response:331 Password required for domain.com.au Command:PASS Response:230 User domain.com.au logged in. Command:SYST Response:215 UNIX Type: L8 Command:FEAT Response:211-Features: Response: MDTM Response: MFMT Response: MFF modify;UNIX.group;UNIX.mode; Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; Response: REST STREAM Response: SIZE Response:211 End Status:Connected Status:Retrieving directory listing... Command:PWD Response:257 / is the current directory Command:TYPE I Response:200 Type set to I Command:PORT 192,168,97,49,226,65 Response:500 Illegal PORT command Command:PASV Response:227 Entering Passive Mode (116,197,145,51,175,75). Command:LIST Error:Connection timed out Error:Failed to retrieve directory listing No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.55/2301 - Release Date: 08/13/09 18:16:00 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
[SLUG] ftp client recomendations ?
what is a good ftp client for windoze ? I have a user with Filezilla, since he moved ISP, his Filezilla times out with my ProFTPd on Centos (but, it worked till now with the former ISP) googling brings similar issues elsewhere; increasing timeout in Filezilla didn't help I can log to the ProFTPd from command line, and, upload with no issues I suspect the issue is with Filezilla rather than at the ProFTPd end ? --- Status:Resolving IP-Address for domain.com.au Status:Connecting to 111.222.333.444:21... Status:Connection established, waiting for welcome message... Response:220 FTP Server ready. Command:USER domain.com.au Response:331 Password required for domain.com.au Command:PASS Response:230 User domain.com.au logged in. Command:SYST Response:215 UNIX Type: L8 Command:FEAT Response:211-Features: Response: MDTM Response: MFMT Response: MFF modify;UNIX.group;UNIX.mode; Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; Response: REST STREAM Response: SIZE Response:211 End Status:Connected Status:Retrieving directory listing... Command:PWD Response:257 / is the current directory Command:TYPE I Response:200 Type set to I Command:PORT 192,168,97,49,226,65 Response:500 Illegal PORT command Command:PASV Response:227 Entering Passive Mode (116,197,145,51,175,75). Command:LIST Error:Connection timed out Error:Failed to retrieve directory listing -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
sounds firewall related? bloat your browser more with http://fireftp.mozdev.org/ Dean Voytek Eymont wrote: what is a good ftp client for windoze ? I have a user with Filezilla, since he moved ISP, his Filezilla times out with my ProFTPd on Centos (but, it worked till now with the former ISP) googling brings similar issues elsewhere; increasing timeout in Filezilla didn't help I can log to the ProFTPd from command line, and, upload with no issues I suspect the issue is with Filezilla rather than at the ProFTPd end ? --- Status:Resolving IP-Address for domain.com.au Status:Connecting to 111.222.333.444:21... Status:Connection established, waiting for welcome message... Response:220 FTP Server ready. Command:USER domain.com.au Response:331 Password required for domain.com.au Command:PASS Response:230 User domain.com.au logged in. Command:SYST Response:215 UNIX Type: L8 Command:FEAT Response:211-Features: Response: MDTM Response: MFMT Response: MFF modify;UNIX.group;UNIX.mode; Response: MLST modify*;perm*;size*;type*;unique*;UNIX.group*;UNIX.mode*;UNIX.owner*; Response: REST STREAM Response: SIZE Response:211 End Status:Connected Status:Retrieving directory listing... Command:PWD Response:257 / is the current directory Command:TYPE I Response:200 Type set to I Command:PORT 192,168,97,49,226,65 Response:500 Illegal PORT command Command:PASV Response:227 Entering Passive Mode (116,197,145,51,175,75). Command:LIST Error:Connection timed out Error:Failed to retrieve directory listing -- http://fragfest.com.au -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
Re: [SLUG] ftp client recomendations ?
Voytek Eymont li...@sbt.net.au writes: what is a good ftp client for windoze ? WinSCP. (No, seriously, it is, and it *also* makes it trivial to move to a simple, reliable and secure transport like SSH without the client really knowing the difference. :) I have a user with Filezilla, since he moved ISP, his Filezilla times out with my ProFTPd on Centos (but, it worked till now with the former ISP) So, when the user tries to connect, what state are the relevant sockets at the client and server end? My guess is the client is trying to connect to the server, but the server firewall is blocking the (passive FTP) connection. [...] Command:PORT 192,168,97,49,226,65 Response:500 Illegal PORT command That isn't a good start: the client asked the server to connect to a private IP address (192.168.97.49) with active FTP. Behind NAT like that the client should either improve their firewall, or disable active FTP entirely. Command:PASV Response:227 Entering Passive Mode (116,197,145,51,175,75). At this point the server *should* be expecting a connection from the client, on TCP/44875, but I bet the firewall isn't letting that through. Check your firewall logs first, to see if you have a record of blocking that connection or not. Regards, Daniel -- ✣ Daniel Pittman✉ dan...@rimspace.net☎ +61 401 155 707 ♽ made with 100 percent post-consumer electrons Looking for work? Love Perl? In Melbourne, Australia? We are hiring. -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html