FTP-Server Enable the 'Masquerade Address' option

FTP-Server Enable the 'Masquerade Address' option

Postby marioth1 » Tue Jan 06, 2015 6:36 pm

Hello,

I've just installed v16.0 and discovered a setting in FTP-Server: "Enable the 'Masquerade Address' option"
When I activate it, the server can't be started (error).

As far as I can tell this option writes the following lines into proftpd.conf

<IfModule mod_dynmasq.c>
# Refresh any configured MasqueradeAddress directives every 4 hours
DynMasqRefresh 14400
</IfModule>

and also the line
MasqueradeAddress


For the command "MasqueradeAddress" the parameter (e.g. a URL) is missing and there is no GUI-Field where I can enter this parameter.
Starting proftpd via commandline brings up an error telling this (see attachments).

Until now I have used the "Additional settings file" for this parameter but I would like to use the built-in settings.
How am I supposed to pass the URL-Parameter to the conf-file?

best regards
Mario
You do not have the required permissions to view the files attached to this post.
marioth1
 
Posts: 27
Joined: Sat Aug 24, 2013 5:02 pm

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Tue Jan 06, 2015 6:44 pm

Hi marioth1,

in the help page you have
Masquerade Address option : you shouldn't need to enable this option except if you have an old router and it doesn't replace the "from" information of packets with its own public address (WAN IP). If you enable it, the server masquerade an IP address with your WAN IP of the ISP box. If you use the DDNS feature, the server will use this DDNS instead of your WAN IP and updates regularly the masquerade address (every 4 hours).
Note: when masquerade option is enabled, you can use only the passive mode from a remote host !


and
TP Server Name : configures the string that will be displayed to an user connecting to the server. This option does not have great utility but it makes it possible to hide the default name of the server. So, the hacker has more difficulty to discover security bugs.
The characters "< > ?" are not authorized and erased if they are found.

The server name is displayed only with a FTP Client (not with any Internet Browser or Microsoft Explorer)

Note for vs upper to 12 : if you have enabled the DDNS, the server name is by default the one set in the host name field (LAN Setup menu) and you can not change the value. The field is then disabled


So if the line MasqueradeAddress is orphan that should mean that the firmware failed to detect your WAN IP.

Need to deepen this point.
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby marioth1 » Tue Jan 06, 2015 6:58 pm

Jocko wrote:Need to deepen this point.



Do you need any additional info e.g. about or from my modem/router on this?
marioth1
 
Posts: 27
Joined: Sat Aug 24, 2013 5:02 pm

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Tue Jan 06, 2015 7:07 pm

I think I have found the issue.

To find the WAN IP, the script uses the command whois but it seems that now it failed because it can not connect to a remote server:
Code: Select all
root@Acrab:/etc/init.d #  busybox whois 127.0.0.1
whois: can't connect to remote host (204.74.78.75): Connection timed out

PING 204.74.78.75 (204.74.78.75): 56 data bytes
^C
--- 204.74.78.75 ping statistics ---
200 packets transmitted, 0 packets received, 100% packet loss
So after the timeout, the script uses a null value.

Do you have the same behaviour?

Currently, you must use the DDNS feature to set a DDNS (if you don't want the firmware updates your DDNS, you can set wrong credentials)
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Tue Jan 06, 2015 7:27 pm

I updated the script.

Could you test if it solved your issue.

attached a test patch (install with the upload patch menu)
You do not have the required permissions to view the files attached to this post.
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby marioth1 » Tue Jan 06, 2015 7:37 pm

Yes I receive the same timout.

I activated the firmwares DDNS and entered wrong credentials as you suggested (so my router is still in charge in terms of DDNS)
Now it works, thank you.

Could you please also add "AllowForeignAddress" to the GUI?
Then people who want to do server-to-server transport can go without the additional config-file.
Last edited by marioth1 on Tue Jan 06, 2015 8:15 pm, edited 2 times in total.
marioth1
 
Posts: 27
Joined: Sat Aug 24, 2013 5:02 pm

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Tue Jan 06, 2015 7:56 pm

Here the comment of AllowForeignAddress directive:
Normally, proftpd disallows clients from using the ftp PORT command with anything other than their own address (the source address of the ftp control connection), as well as preventing the use of PORT to specify a low-numbered (< 1024) port. In either case, the client is sent an "Invalid port" error and a message is syslog'd indicating either "address mismatch" or "bounce attack". By enabling this directive, proftpd will allow clients to transmit foreign data connection addresses that do not match the client's address. This allows such tricks as permitting a client to transfer a file between two FTP servers without involving itself in the actual data connection. Generally it's considered a bad idea, security-wise, to permit this sort of thing. AllowForeignAddress only affects data connection addresses; not tcp ports. There is no way (and no valid reason) to allow a client to use a low-numbered port in its PORT command.

As it degrades the proftpd security, i don't plan to add it in the GUI and it is very easy to use it in an additional conf file.

Remember: ftp is a protocol which can easily broken and on Internet there are many sniffers to detect the ftp servers
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby marioth1 » Tue Jan 06, 2015 8:24 pm

Jocko wrote:I updated the script.

Could you test if it solved your issue.

attached a test patch (install with the upload patch menu)



Just installed the patch,
now masquerading works without the firmwares DDNS being active.
Thank you
marioth1
 
Posts: 27
Joined: Sat Aug 24, 2013 5:02 pm

Re: FTP-Server Enable the 'Masquerade Address' option

Postby Jocko » Tue Jan 06, 2015 8:27 pm

Thank you, marioth1

I go to post the patch in the download forum
Jocko
Site Admin - expert
 
Posts: 11357
Joined: Tue Apr 12, 2011 4:48 pm
Location: Orleans, France

Re: FTP-Server Enable the 'Masquerade Address' option

Postby marioth1 » Wed Jan 07, 2015 5:55 pm

Hi again,

now I think the whole thing with updating the IP-Address is not working.

My IP has changed more than 5 hours ago (> 14400 seconds), but proftpd still answers with the old (wrong) IP to the PASV command.
(proftpd.conf also still mentions the old IP after MasqueradeAddress command)


Do I need to install mod_dynmasq.c separately? (at least I can't find it anywhere in the filesystem)

best regards
You do not have the required permissions to view the files attached to this post.
marioth1
 
Posts: 27
Joined: Sat Aug 24, 2013 5:02 pm

Next

Return to Philips SPD8020

Who is online

Users browsing this forum: No registered users and 1 guest