FTP-Server Enable the 'Masquerade Address' option

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Wed Jan 07, 2015 6:26 pm

Hi marioth1

no need to do that it is already loaded
Code: Select all
root@Acrab:/ # proftpd -vv
ProFTPD Version: 1.3.5rc4 (devel)
  Scoreboard Version: 01040003
  Built: Sat Feb 1 2014 15:28:54 GMT+1

Loaded modules:
  mod_lang/1.0
  mod_cap/1.1
  mod_sftp/0.9.9
  mod_dynmasq/0.4
  mod_tls/2.6
  mod_ident/1.0
  mod_facts/0.3
  mod_delay/0.7
  mod_site.c
  mod_log.c
  mod_ls.c
  mod_auth.c
  mod_auth_file/1.0
  mod_auth_unix.c
  mod_rlimit.c
  mod_xfer.c
  mod_core.c
So mod_dynmasq is available.

About masquerade Ip you can check this
Code: Select all
root@Acrab:/ # proftpd -t
Checking syntax of configuration file
2015-01-07 19:13:37,842 Acrab.local proftpd[3236]: warning: config file '/etc/proftpd.conf' is world-writable
2015-01-07 19:13:37,992 Acrab.local proftpd[3236]: warning: handling possibly truncated configuration data at line 433 of '/etc/proftpd.conf'
2015-01-07 19:13:38,056 Acrab.local proftpd[3236] 127.0.0.1: 127.0.0.1:21 masquerading as 86.221.145.135
Syntax check complete.


But read the DynMasqRefresh help
DynMasqRefresh
Syntax: DynMasqRefresh secs
Default: None
Context: "server config"
Module: mod_dynmasq
Compatibility: 1.2.10

The DynMasqRefresh directive configures the amount of time, in seconds, between mod_dynmasq's checking and updating of all MasqueradeAddress directives. If no DynMasqRefresh directive is configured, then the module will do no checking.

The process of resolving a DNS name to its IP address can, depending on the DNS configuration, take a noticeable amount of time. This, combined with the number of MasqueradeAddress directives in your proftpd.conf, can cause mod_dynmasq to make the daemon unavailable while it resolves all addresses. Therefore it is highly recommended that the configured interval be as long as possible, for example for 8 hours.
So DynMasqRefresh resolves a DNS name.

if you use a WAN IP with MasqueradeAddress (so when you don't use the ddns feature), DynMasqRefresh will do nothing

use a WAN IP with MasqueradeAddress (so when you don't use the ddns feature)
maybe I can change this behavior: for example if you enable masquerade option, it will use the servername as DNS (of course it will fail it you use a wrong DNS)
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby marioth1 » Wed Jan 07, 2015 6:34 pm

Hi

Jocko wrote:
if you use a WAN IP with MasqueradeAddress (so when you don't use the ddns feature), DynMasqRefresh will do nothing


so it will work if I use the built-in DDNS-service (with wrong credentials like you mentioned yesterday)?

Edit:
Just activated that, now the dns-name is mentioned in the proftpd.conf. Is DynMasqRefresh now working?


maybe I can change this behavior: for example if you enable masquerade option, it will use the servername as DNS (of course it will fail it you use a wrong DNS)


I assume this needs more than a patch?

best regards
marioth1
 
Posts: 27
Joined: Sat Aug 24, 2013 5:02 pm

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Wed Jan 07, 2015 6:45 pm

marioth1 wrote:so it will work if I use the built-in DDNS-service (with wrong credentials like you mentioned yesterday)?
Yes

marioth1 wrote:I assume this needs more than a patch?
No this can be done with a patch but a few time to think more.
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Wed Jan 07, 2015 7:39 pm

It is done as with ftps servers, the script uses a similar way to masquerade the WAN IP (masquerade IP is always required because connections are encrypted and the router can not substitute the local IP with its public IP).

So the new behaviour for the ftp server is :
- without masquerade option, the conf file contains no dynmasq directive.
- with masquerade option:
1/ add a dynmasq directive to update the masquerade.
2/ masquerade directive uses : the servername as DDNS if it seems to be a web ddns (if you put a wrong server name, proftpd will fail to start)
and otherwise uses your current WAN IP. (so you must restart the server at each time your public IP change)

I don't yet update the ftp help (I want update several points)

Attached a new patch version for testing
You do not have the required permissions to view the files attached to this post.
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby marioth1 » Wed Jan 07, 2015 10:41 pm

Jocko wrote:It is done as with ftps servers, the script uses a similar way to masquerade the WAN IP (masquerade IP is always required because connections are encrypted and the router can not substitute the local IP with its public IP).

So the new behaviour for the ftp server is :
- without masquerade option, the conf file contains no dynmasq directive.
- with masquerade option:
1/ add a dynmasq directive to update the masquerade.
2/ masquerade directive uses : the servername as DDNS if it seems to be a web ddns (if you put a wrong server name, proftpd will fail to start)
and otherwise uses your current WAN IP. (so you must restart the server at each time your public IP change)

I don't yet update the ftp help (I want update several points)

Attached a new patch version for testing



I installed the patch and deactivated the built-in DDNS again (also erased the domain name there).
The FTP-Servers name is still set to my (dyn-dns) domain.
Restarted ftp-service.
Parameter MasqueradeAddress in proftpd.conf now has FTP-Server name as parameter.
As far as I can tell it works, proftpd answers with wan-ip to PASV.
Tomorrow I can test if the DynMasqRefresh is working (Why did you set the parameter to 4 hours? Every 30 minutes (or more often) would do no harm I think)

best regards
marioth1
 
Posts: 27
Joined: Sat Aug 24, 2013 5:02 pm

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Wed Jan 07, 2015 11:13 pm

You did not understand me!
marioth1 wrote:Parameter MasqueradeAddress in proftpd.conf now has FTP-Server name as parameter.
:disapprove

That means that you keep the default FTP server name in the field "servername" !
you must put your DDNS as server name in this field
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby marioth1 » Thu Jan 08, 2015 8:56 am

Jocko wrote:You did not understand me! :disapprove

That means that you keep the default FTP server name in the field "servername" !
you must put your DDNS as server name in this field




hmm, I don't see where I missunderstood you.

Built-in DDNS-Service is now deactivated, the field "FTP-Server name" contains my DDNS
and since yesterdays patch this value is passed to the masqueradeaddress command ?
marioth1
 
Posts: 27
Joined: Sat Aug 24, 2013 5:02 pm

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Thu Jan 08, 2015 1:01 pm

Sorry, I made a mistake as you wrote "FTP-Server name" I thought that you kept the default name (it is built like you quoted").

So if you use your ddns, there is no issue.
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby marioth1 » Thu Jan 08, 2015 4:18 pm

Jocko wrote:Sorry, I made a mistake as you wrote "FTP-Server name" I thought that you kept the default name (it is built like you quoted").

So if you use your ddns, there is no issue.


Writing around midnight confuses things :-)

Also DynMasqRefresh seems to work.
Still, why did you set the time for those updates to 4 hours?
Asking DNS if address has changed for example every 30 minutes won't produce much traffic I think.

best regards
marioth1
 
Posts: 27
Joined: Sat Aug 24, 2013 5:02 pm

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Thu Jan 08, 2015 5:01 pm

Still, why did you set the time for those updates to 4 hours?
Asking DNS if address has changed for example every 30 minutes won't produce much traffic I think.
I just followed the directive recommendation.

This, combined with the number of MasqueradeAddress directives in your proftpd.conf, can cause mod_dynmasq to make the daemon unavailable while it resolves all addresses. Therefore it is highly recommended that the configured interval be as long as possible, for example for 8 hours.

So I did not follow fully it as we use 4h instead of 8h.

Please to note: from a remote access, if you download some big files this can take more than 30min in accordance with your ISP upload speed. If we set a small update period, files transfer will be regularly broken.
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

PreviousNext

Return to Philips SPD8020

Who is online

Users browsing this forum: No registered users and 1 guest