Pure FTPd problems

[bitg]

I am running Redhat 8 and the latest pure ftp server. I can connect to it just find from another machine in my network. Yet when trying to connect from the outside world, I get "Failed to establish a data socket" error. This happens when I connect in PASV mode. When I use PORT" mode to connect, it just times out with no explanation. The FTP Client software I am using is CuteFTP. I even tried it from a friend's house and got the same thing.

The weird thing is when I connect to it from my linux machine at my office (using a command line ftp connection) it works just fine. I am lost here.

I have Pure FTP setup in it's default configuration and as far as I know nothing has changed. It was working at one time.

I am just confused here. I am no master of Linux.

ideas?

 

[Will Rickards WT]

First I'd try another ftp client like smartftp: http://www.smartftp.com

 

[bitg]

OK, I installed SmartFTP as you suggested and when I tried to connect, I got the following error.

Opening data connection IP: 192,168,100,253,158,126 PORT: 40574.
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
PORT 192,168,100,242,11,185
200 PORT command successful
Opening data connection IP: 192.168.100.242 PORT: 3001.
MLSD

 

[i]

It might be easier to figure out what's going on if you posted all the information you have in one discussion. :wink:

Currently, when I type "/etc/rc.d/init.d/pure-ftpd start" it prints the following on my screen. Maybe this will help.


Starting pure-config.pl: Running: /usr/local/sbin/pure-ftpd --daemonize -A -c50 -B -C8 -D -fftp -H -I15 -L2000:8 -m4 -p30000:50000 -P192.168.0.1 -s -U133:022 -u100 -w -k99 -Z

Let me guess. You're behind a firewall/NAT box.

From some random website, with details about a version of pure-ftpd that could be completely different from yours (I don't think you mentioned your version....)

---------------
-P ip address or host name
Force the specified IP address in reply to a
PASV/EPSV/SPSV command. If the server is behind a
masquerading (NAT) box that doesn't properly handle
stateful FTP masquerading, put the ip address of
that box here. If you have a dynamic IP address,
you can use a symbolic host name (probably the one
of your gateway), that will be resolved every time
a new client will connect.
---------------

So, let's get the basics worked out here.

1) You've got an FTP server on a Linux box, with IP address 192.168.100.253.
2) Said FTP server is behind a firewall/NAT box (correct?)
3) You don't trust your NAT device to properly handle the stateful connections, so you've added the -P switch. And you've declared to pure-ftpd that your NAT device has an IP address of 192.168.0.1. But your FTP server is on a different subnet (100) ... so????

My knowledge is rusty, but I for one could use some more basic information about exactly what kind of network you've got set up here. What are the two boxes at either end of the connection? And what are the stats on all the boxes between them?

 

[bitg]

I have a DSL line and the static IP address I have is being housed on my Linksys router. The Linux box is using a static ip address of 192.168.100.253.

The router is pointing all my ports from 1-65535 to the Linux box and I am using the linux box to point a few of them to other internal ip addresses on other machines.

If there a Pure FTP switch active, it was was there by default and I do not know how to activate or deactive a switch.

So every machine on my network is using the following information.

192.168.100.xxx - IP Address
192.168.100.1 - Gateway
255.255.255.0 - SubNet Mask

Obviously, the linux box is set to 192.168.100.253. This box is connected directly to the router (192.168.100.1). There is nothing between them.

Maybe I am not understanding your question, but I hope i have added some helpful informaiton.

 

[bitg]

Something new.

Using SmartFTP, if I set the connection mode to PASV and set "Force Passive IP" to "enabled" it works just fine. I could not do this before because Cute FTP does not have this option.

Ideas?

 

[i]

Maybe I am not understanding your question, but I hope i have added some helpful informaiton.

Yes, that's good stuff.

If it were me, just in the interest in ruling out one potential variable, I'd temporarily remove that whole -P switch.

As for ideas? Well, maybe.

Opening data connection IP: 192,168,100,253,158,126 PORT: 40574.
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

If your pure-ftpd server is returning 192.168.0.1 as part of the reply when your client issues that PORT command, that might explain why you subsequently time out. Your client has just been told by your pure-ftpd server to continue the session by talking to 192.168.0.1. Well, that's flat-out wrong, agreed?

When you're outside your network, really you want the client to continue talking with the external IP address of your Linksys router. And that should be handled by the stateful NAT capability of the router. You shouldn't have to specify that external address to pure-ftpd. Which is what the man page tells you - you use it only if the stateful capability of a NAT box you happen to be behind is broken.

And when you're inside your own network ... why would you even need the switch in that case? Just continue talking to 192.168.100.253.

As for why it works as it is right now for some clients and not others? Perhaps some FTP clients fall for the reply to the PORT command and blindly assume it's correct - they think they really have to continue talking to 192.168.0.1. Other clients, such as the ones you've tried on Linux, and SmartFTP - when it's set to "Force Passive IP" - are less trusting of the reply they receive after the PORT command and talk to whatever the hell IP address they think they should be talking to. We're talking Linux clients, right? Sounds plausible to me. :wink:

And finally, this is the most speculation I've done in a long time. So take it all with a grain of salt.

Besides, you asked for ideas.

 

[i]

May not be the same version as yours, but here's a man page for pure-ftpd.

 

[bitg]

i, that is the most I have had to think about in a very long time. You have given me lots to contemplate. To turn off the whole -p switch is probably the best idea. However, I am unsure how to do this. It is obvious to me that the answer lies in the pure-ftp.conf file.

Ideas on where to look?

 

[The JoJo]

Try something similar:
/usr/local/sbin/pure-ftpd -d -f ftp -S PORTNUMBER -P $IP -p PORTRANGE -A -c 10 -C 2 -X -x -I 5 -E -R -K -H -l puredb:/etc/pureftpd.pdb &

 

[Will Rickards WT]

Something new.

Using SmartFTP, if I set the connection mode to PASV and set "Force Passive IP" to "enabled" it works just fine. I could not do this before because Cute FTP does not have this option.

Ideas?

Buy a license to smartftp and your set

 

[i]

Try something similar:
/usr/local/sbin/pure-ftpd -d -f ftp -S PORTNUMBER -P $IP -p PORTRANGE -A -c 10 -C 2 -X -x -I 5 -E -R -K -H -l puredb:/etc/pureftpd.pdb &

Don't introduce more variables just yet. Keep the first try simple. Take the original command that the pure-ftpd perl script runs and remove the -P switch completely. That gives you this:

/usr/local/sbin/pure-ftpd --daemonize -A -c50 -B -C8 -D -fftp -H -I15 -L2000:8 -m4 -p30000:50000 -s -U133:022 -u100 -w -k99 -Z

(Note that some of those other switches are important security-wise.)

Note that you'll want to make sure any other FTP applications are halted. Use "ps -aux" to double-check. Oh, and I wouldn't make a habit of running your FTP server with a command like the above. Your original method ("pure-ftpd start") seems to run through intermediate steps that may do additional checks on files, etc. to make sure pure-ftpd starts up reliably and securely. Issue the above command manually just to test whether the -P switch is the problem.

 

[bitg]

Will, what will a licenced version of SmartFTP give me that I do not already have?

i, is not the -p command for PASV FTP? When I run without it, I get a "data socket error". Something about the server actively refusing the connection.

 

[i]

i, is not the -p command for PASV FTP? When I run without it, I get a "data socket error". Something about the server actively refusing the connection.

Well, first of all don't confuse -p with -P (see the manual I linked to earlier). But yes, you're right, the switch controls an aspect of passive FTP ... and that's confusing me, especially as you had written earlier:

The router is pointing all my ports from 1-65535 to the Linux box and I am using the linux box to point a few of them to other internal ip addresses on other machines.

Without that switch, I would expect your pure-ftpd server to run normally, and I'd also expect any client you use from outside the network to be able to reach it, assuming they are attempting connect in passive mode. If that's not happening, I'm not sure what to tell you. This Linux box you speak of - the one you say is acting as a sort of secondary router - that's the same box that pure-ftpd is running on, right?

 

[The JoJo]

For me, to get the connection to work, that "-P IP-ADDRESS" was the most important one.
That controlls the address sent to the client, and is the "return" address for future packets. Without it pure-ftpd just sends it's local ip address to the clients outside your network (192.168....).

-S is something I have because I can't run the service on the normal port.

So maybe something like this:
/usr/local/sbin/pure-ftpd --daemonize -P LINKSYS-OUTER-IP-ADDRESS -A -c50 -B -C8 -D -fftp -H -I15 -L2000:8 -m4 -p30000:50000 -s -U133:022 -u100 -w -k99 -Z ?

Try something similar:
/usr/local/sbin/pure-ftpd -d -f ftp -S PORTNUMBER -P $IP -p PORTRANGE -A -c 10 -C 2 -X -x -I 5 -E -R -K -H -l puredb:/etc/pureftpd.pdb &

Don't introduce more variables just yet. Keep the first try simple. Take the original command that the pure-ftpd perl script runs and remove the -P switch completely. That gives you this:

/usr/local/sbin/pure-ftpd --daemonize -A -c50 -B -C8 -D -fftp -H -I15 -L2000:8 -m4 -p30000:50000 -s -U133:022 -u100 -w -k99 -Z

(Note that some of those other switches are important security-wise.)

Note that you'll want to make sure any other FTP applications are halted. Use "ps -aux" to double-check. Oh, and I wouldn't make a habit of running your FTP server with a command like the above. Your original method ("pure-ftpd start") seems to run through intermediate steps that may do additional checks on files, etc. to make sure pure-ftpd starts up reliably and securely. Issue the above command manually just to test whether the -P switch is the problem.

 

[i]

For me, to get the connection to work, that "-P IP-ADDRESS" was the most important one.
That controlls the address sent to the client, and is the "return" address for future packets. Without it pure-ftpd just sends it's local ip address to the clients outside your network (192.168....).

-S is something I have because I can't run the service on the normal port.

So maybe something like this:
/usr/local/sbin/pure-ftpd --daemonize -P LINKSYS-OUTER-IP-ADDRESS -A -c50 -B -C8 -D -fftp -H -I15 -L2000:8 -m4 -p30000:50000 -s -U133:022 -u100 -w -k99 -Z ?

That was my first thought too. But what does bitg do when he wants to connect to his FTP server when he's on his internal network? Then the FTP server is sending out an external IP adddress, when it should be sending out an internal one! Yack!

Hah ... maybe you need two interfaces on the FTP box. :lol: Sorry ... shouldn't laugh, but I'm just shaking my head here. So much for my "keep it simple" theory. I'm just so out of practice with this stuff it's depressing.

 

[Will Rickards WT]

Will, what will a licenced version of SmartFTP give me that I do not already have?

No nag screen in 30 days that is assuming you are using it for personal use. If you are using it for commercial use, you are required to get a license to use the software after 30 days. The nag screen comes up randomly between 8 and 5pm.

It will also get you premium support for 1 year.