Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Pure-ftpd, passive mode, tls
Operating Systems Linux Debian Pure-ftpd, passive mode, tls Post 302866559 by sedlis on Tuesday 22nd of October 2013 09:29:20 AM
Old 10-22-2013
Pure-ftpd, passive mode, tls
Hello everyone,
Could you please help me with settings of pure-ftpd.

Here is my actual solution:
I have got linux (debian 7.1 wheezy ), where I run pure-ftpd, created virtual users, folder for ftp. I also install openssl, create private certificate for tls. All seems good.

When user connect from internal address in passive mode without TLS - its working fine.
When user connect from internal address in passive mode with TLS - its working fine.
When user connect from external address in passive mode without TLS - its working fine.
When user connect from external address in passive mode with TLS - ftp doesn't work, because ftp server return to external client local ip address. And client doens't know this address.

I also tried solve this problem to create conf file in /etc/pure-ftpd/conf/ForcePassiveIP ,where is written external address. But when user connect from external address he got external address what is fine, but after he got another error with connection. And this waz I think is not good, because users from internal network will not be able to connect ftp, because they will get external address from ForcePassiveIP conf file.
Maybe I can make two ftps server with different settings, but I think its not optimal. Could you please help me ? lw: I am beginner with linux, so if you have any solution could you please more expand for me ? Thank you very much.
 

8 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

passive ftp problem

Hello! Im having a strange problem. Im getting "Possible PASV port theft, cannot open data connection" when i try to ftp from one machine to another. This dosent happen everytime, only once in a while. Ive checked the firewall, and everything is open betwen client -> server, no restrictions... (1 Reply)
Discussion started by: dozy
1 Replies

2. UNIX Desktop Questions & Answers

how to check if a file ftpd to mainframe was actually ftpd

Hi All, I am ftping a file from unix to mainframe. Now the problem arises that i want to check if the file was ftpd or not. Is there any way i could do this? (4 Replies)
Discussion started by: vikas.rao11
4 Replies

3. Shell Programming and Scripting

error while passive ftp file transfer

hi i am doing a passive ftp file transfer . during that i got the following error. "ftp> put FTPS_MAILBOX local: FTPS_MAILBOX remote: FTPS_MAILBOX 421 Service not available, remote server has closed connection Passive mode refused. Turning off passive mode. No control connection for... (1 Reply)
Discussion started by: Satyak
1 Replies

4. AIX

AIX HACMP Active/Passive Config

I have a HACMP 6.1 configured in a active/passive. I have 1 NIC with 3 IP address on (Boot, Persistent and Service ) . All address are routable. One of the application on the HA cluster is also using Boot Ip to send application data. Question : Since all the traffic is passing thru the same... (3 Replies)
Discussion started by: mk8570
3 Replies

5. AIX

ftp connect in passive mode , ftp settings

how to connect to ftp server in passive mode? ftp server.abc and how can i see ftp settings, doesn't exist some ftpd.conf there is some other file where i check the options and configurations of ftp server? Thanks (3 Replies)
Discussion started by: prpkrk
3 Replies

6. IP Networking

vsftp | active and passive ftp | iptables

I am using vsftp but I can't login with passive mode. I can only login with active mode. I can login with both mode when service of iptables is stop. In active mode : 20,21 must be open from server site. 1023 and over must be open at client site. In passive mode : only 21,1023 and over must be... (1 Reply)
Discussion started by: getrue
1 Replies

7. SuSE

Pure-FTPd [TLS] Login problem

Hello everybody Recently I installed Pure-FTPd and i tried to connect to my server and i try to login using my ID/PW i got always anonymous login.... here what i got, # ftp ftp> open localhost Trying 127.0.0.1... Connected to localhost. 220---------- Welcome to Pure-FTPd ----------... (0 Replies)
Discussion started by: hael
0 Replies

8. Solaris

How to configure CUPS on Solaris 11.3 - TLS and no TLS?

We are implementing CUPS on a new Solaris 11.3 system. The same system will run an application where users can print to networked printers inside our organisation, or to a printer outside of our organisation over the internet. For users printing to internal network printers, no encryption is... (0 Replies)
Discussion started by: SallyB
0 Replies

LEARN ABOUT OSX

ftp-proxy

FTP-PROXY(8)						    BSD System Manager's Manual 					      FTP-PROXY(8)

NAME

     ftp-proxy -- Internet File Transfer Protocol proxy server

SYNOPSIS

     ftp-proxy -i [-AnrVw] [-a address] [-D debuglevel] [-g group] [-M maxport] [-m minport] [-R address[:port]] [-S address] [-t timeout]
	       [-u user]
     ftp-proxy -p [-AnrVw] [-a address] [-D debuglevel] [-g group] [-M maxport] [-m minport] [-R address[:port]] [-S address] [-t timeout]
	       [-u user]

DESCRIPTION

     ftp-proxy is a proxy for the Internet File Transfer Protocol.  The proxy uses pf(4) and expects to have the FTP control connection as
     described in services(5) redirected to it via a pf(4) rdr command.  An example of how to do that is further down in this document.

     The options are as follows:

     -A      Permit only anonymous FTP connections.  The proxy will allow connections to log in to other sites as the user "ftp" or "anonymous"
	     only.  Any attempt to log in as another user will be blocked by the proxy.

     -a address
	     Specify the local IP address to use in bind(2) as the source for connections made by ftp-proxy when connecting to destination FTP
	     servers.  This may be necessary if the interface address of your default route is not reachable from the destinations ftp-proxy is
	     attempting connections to, or this address is different from the one connections are being NATed to.  In the usual case this means
	     that address should be a publicly visible IP address assigned to one of the interfaces on the machine running ftp-proxy and should be
	     the same address to which you are translating traffic if you are using the -n option.

     -D debuglevel
	     Specify a debug level, where the proxy emits verbose debug output into syslogd(8) at level LOG_DEBUG.  Meaningful values of debu-
	     glevel are 0-3, where 0 is no debug output and 3 is lots of debug output, the default being 0.

     -g group
	     Specify the named group to drop group privileges to, after doing pf(4) lookups which require root.  By default, ftp-proxy uses the
	     default group of the user it drops privilege to.

     -i      Set ftp-proxy for use with IP-Filter.

     -M maxport
	     Specify the upper end of the port range the proxy will use for the data connections it establishes.  The default is IPPORT_HILASTAUTO
	     defined in <netinet/in.h> as 65535.

     -m minport
	     Specify the lower end of the port range the proxy will use for all data connections it establishes.  The default is
	     IPPORT_HIFIRSTAUTO defined in <netinet/in.h> as 49152.

     -n      Activate network address translation (NAT) mode.  In this mode, the proxy will not attempt to proxy passive mode (PASV or EPSV) data
	     connections.  In order for this to work, the machine running the proxy will need to be forwarding packets and doing network address
	     translation to allow the outbound passive connections from the client to reach the server.  See pf.conf(5) for more details on NAT.
	     The proxy only ignores passive mode data connections when using this flag; it will still proxy PORT and EPRT mode data connections.
	     Without this flag, ftp-proxy does not require any IP forwarding or NAT beyond the rdr necessary to capture the FTP control connec-
	     tion.

     -p      Set ftp-proxy for use with pf.

     -R address:[port]
	     Reverse proxy mode for FTP servers running behind a NAT gateway.  In this mode, no redirection is needed.	The proxy is run from
	     inetd(8) on the port that external clients connect to (usually 21).  Control connections and passive data connections are forwarded
	     to the server.

     -r      Use reverse host (reverse DNS) lookups for logging and libwrap use.  By default, the proxy does not look up hostnames for libwrap or
	     logging purposes.

     -S address
	     Source address to use for data connections made by the proxy.  Useful when there are multiple addresses (aliases) available to the
	     proxy.  Clients may expect data connections to have the same source address as the control connections, and reject or drop other con-
	     nections.

     -t timeout
	     Specifies a timeout, in seconds.  The proxy will exit and close open connections if it sees no data for the duration of the timeout.
	     The default is 0, which means the proxy will not time out.

     -u user
	     Specify the named user to drop privilege to, after doing pf(4) lookups which require root privilege.  By default, ftp-proxy drops
	     privilege to the user proxy.

	     Running as root means that the source of data connections the proxy makes for PORT and EPRT will be the RFC mandated port 20.  When
	     running as a non-root user, the source of the data connections from ftp-proxy will be chosen randomly from the range minport to
	     maxport as described above.

     -V      Be verbose.  With this option the proxy logs the control commands sent by clients and the replies sent by the servers to syslogd(8).

     -w      Use the tcp wrapper access control library hosts_access(3), allowing connections to be allowed or denied based on the tcp wrapper's
	     hosts.allow(5) and hosts.deny(5) files.  The proxy does libwrap operations after determining the destination of the captured control
	     connection, so that tcp wrapper rules may be written based on the destination as well as the source of FTP connections.

     ftp-proxy is run from inetd(8) and requires that FTP connections are redirected to it using a rdr rule.  A typical way to do this would be to
     use either an ipnat rule such as

       int_if = "xl0";
       rdr $int_if 0/0 port 21 -> 127.0.0.1 port 8021 tcp

     or a pf.conf(5) rule such as

       int_if = "xl0"
       rdr pass on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

     inetd(8) must then be configured to run ftp-proxy on the port from above using

       127.0.0.1:8021 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy -[ip]

     in inetd.conf(5).

     ftp-proxy accepts the redirected control connections and forwards them to the server.  The proxy replaces the address and port number that
     the client sends through the control connection to the server with its own address and proxy port, where it listens for the data connection.
     When the server opens the data connection back to this port, the proxy forwards it to the client.	If you're using IP-Filter, the ipf.conf(5)
     rules need to let pass connections to these proxy ports (see options -u, -m, and -M above) in on the external interface.  The following exam-
     ple allows only ports 49152 to 65535 to pass in statefully:

	   block in on $ext_if proto tcp all
	   pass  in on $ext_if inet proto tcp from any to $ext_if 
	       port > 49151 keep state

     If you're using pf, then the pf.conf(5) rules need to let pass connections to these proxy ports (see options -u, -m, and -M above) in on the
     external interface.  The following example allows only ports 49152 to 65535 to pass in statefully:

	   block in on $ext_if proto tcp all
	   pass  in on $ext_if inet proto tcp from any to $ext_if 
	       port > 49151 keep state

     Alternatively, pf.conf(5) rules can make use of the fact that by default, ftp-proxy runs as user "proxy" to allow the backchannel connec-
     tions, as in the following example:

	   block in on $ext_if proto tcp all
	   pass  in on $ext_if inet proto tcp from any to $ext_if 
	       user proxy keep state

     These examples do not cover the connections from the proxy to the foreign FTP server.  If one does not pass outgoing connections by default
     additional rules are needed.

NOTES

     com.apple/100.InternetSharing/ftp-proxy PF anchor is required for this daemon to correctly function.

SEE ALSO

     ftp(1), pf(4), hosts.allow(5), hosts.deny(5), inetd.conf(5), ipf.conf(5), ipnat.conf(5), pf.conf(5), inetd(8), ipf(8), ipnat(8), pfctl(8),
     syslogd(8)

BUGS

     Extended Passive mode (EPSV) is not supported by the proxy and will not work unless the proxy is run in network address translation mode.
     When not in network address translation mode, the proxy returns an error to the client, hopefully forcing the client to revert to passive
     mode (PASV) which is supported.  EPSV will work in network address translation mode, assuming a configuration setup which allows the EPSV
     connections through to their destinations.

     IPv6 is not yet supported.

BSD
								  March 16, 2011							       BSD
All times are GMT -4. The time now is 06:48 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy