I've been having great fun with FTP - active and passive - and
assumed it was the wrong port here or there or something strange in
pf - my fault every time so far.
Running with pf + ftp-proxy box, and proftpd or vsftpd on boxes
behind that on two different networks, and then NAT clients on
another network (behind another pf box.)
It has been unrouteable (if that is the correct term?) addresses.
And because the traffic never hits pf, you don't see anything in the
logs (apart from the control channel traffic) and really wonder what
is going on (I am logging in the right place? Maybe my ftp-proxy
settings? Did I reload the rules? Maybe it's the router, etc., etc.)
Apologies if this is all old hat to you (but might help others
following the thread one day.)
The symptoms are exactly what you describe - the control channel
(port 21) allows you to connect (even create files, but they will be
0 bytes) but as soon as you touch the data channel ... nothing.
Active FTP, the client is behind NAT, and tells the server that it
(the client) is listening at 192.168.30.30 (or whatever) port xyz for
data - obviously the server is never going to find 192.168.30.30
across the internet (or if it does find one, it is not the FTP
client.) Haven't found a solution for this yet, but not bugging me
enough! (I can test from other machines)
Passive FTP, the server has an internal IP (e.g. 172.16.0.01), and
tells the client that it (the server) is listening on that address,
port xyz for data - same situation, the client will never find the
server over the internet.
http://en.wikipedia.org/wiki/Ftp shed light on this for me.
It *seems* that some routers will see the IPs in the FTP traffic and
sort things out automatically - not sure if this is the case - maybe
someone will correct me? I can't explain everything that I've seen
while getting this going.
Different FTP clients behave differently! So choose your test
environment. Some clients seem to ignore what the server says and
try and connect to the original IP, so it all works. Others are very
picky. You want one that displays as much info as possible as what
it is trying to do (personally I use Tcl and the Tcllib FTP client
with all debugging and callbacks enabled - but I'll probably be alone
in that!)
One solution for passive issues seems to be to masquerade the IP
(vsftp or proftpd) e.g.
http://vsftpd.beasts.org/vsftpd_conf.html
<quote>
pasv_address
Use this option to override the IP address that vsftpd will
advertise in response to the PASV command. Provide a numeric IP address.
Default: (none - the address is taken from the incoming
connected socket)
<unquote>
HTH.
On 8/11/2007, at 9:19 PM, knitti wrote:
On 11/8/07, Jake Conk <[EMAIL PROTECTED]> wrote:
Hello,
I have a computer running OpenBSD 4.2 which is acting as my router.
Behind it I have a a ftp-server which is working fine thanks to
ftp-proxy but one of the problems I am having is ftp'ing out of my
network. I am able to connect and establish connections to outside
servers but I am not able to run normal commands on them like ls, cd,
get, etc. Any command I try running after I connect just hangs and
fails.
of course, since your are using NAT. starting a second instance of
ftp-proxy on a different port should work, just look at the manpages
pf.conf(5)
ftp-proxy(8)
--knitti
