plugout.net

[Cubytus]

Hi there,

I activated the FTP server in fvdwsl, created a user with read-only rights to a given directory. The FTP port is non-standard 4222. Of course, I opened and redirected the correct port in the router's NAT.

From the LAN, login takes a second at most, and directories are displayed right away.
From the WAN however, login using the same user is refused (as shown in FTP Log file from fvdwsl).
I tested from another WAN (mobile phone tethering), same result, both in passive or active mode.

I also performed the usual routine when dealing with connection issues:
restart LaCie Cloudbox, restart router (both sides), to no avail.

The FTP log on fvdwsl firmware doesn't say why connection is rejected.

FWIW, another connection to the same server through WebDAV doesn't have this issue.

Help greatly appreciated.

[Jocko]

Hi Cubytus,

Several things must be checked:
-

The FTP port is non-standard 4222. Of course, I opened and redirected the correct port in the router's NAT.

add a Nat rule on 4222 is not enough. For active mode, you need to add a NAT rule on data port (so 4223) and for passive mode, add a rule on the passive ports range.
- what login mode did you set ?
with 'Allow only' you need to add the ip used by your remote hosts
- did you enable or not the 'Masquerade Address' option, it depends how your box works. So try with or without this option.

[Cubytus]

Hello Jocko,

add a Nat rule on 4222 is not enough. For active mode, you need to add a NAT rule on data port (so 4223) and for passive mode, add a rule on the passive ports range.

I can't possibly open ports 1024 to 65535 in the router? How are hosting companied NATs configured? I doubt they would open such a massive ports range in their firewall. Not permanently, at the very least.

- what login mode did you set ?
with 'Allow only' you need to add the ip used by your remote hosts

At first I left it at the default "Allow only", then switched to "Deny only". Both now fail to connect

- did you enable or not the 'Masquerade Address' option, it depends how your box works. So try with or without this option.

Masquerade Address is disabled (default setting). Fails to connect. Enabled: also fails to connect.

Current settings:
Masquerade IP turned on
Login mode: Deny only
FileZilla: passive mode

Result on FileZilla:
227 Entering passive mode
LIST
ECONNREFUSED
Timeout after 20 seconds

Result in FTP Log File:
USER paul: Login successful
So the server doesn't reject connection this time, but is still unreachable.

:(

[Jocko]

Hi

Result in FTP Log File:
USER paul: Login successful
So the server doesn't reject connection this time, but is still unreachable.

So there is no longer on issue on your command port (4222) but only with the data port.

So try to force the active mode and make a NAT rule on 4223.
About passive mode

I can't possibly open ports 1024 to 65535 in the router?

No need to forward the full range.

Set a small range (at least the same port number as the max connection) and make the related nat rule on them

[Cubytus]

Tried in active mode: FAIL.
NAT set to forward TCP and UDP (the latter shouldn't be necessary) 4222 to 4223 toward the LaCie.

fvdw FTP configuration:
"Deny only"

FileZilla messages (abbreviated since they appear on a different computer I can't simply copy-past them)
Listing current directory
PWD
257
Type I
200 Type set to I
Port 172,20,10,3,232,94
200 Port command successful
LIST
…Timeout after 20 seconds

FTP Log file in LaCie:
Login successful
(around 20 seconds after)
Session closed.

Tried in passive mode: SUCCESS
NAT set to forward TCP and UDP (the latter shouldn't be necessary) 4222 to 4228 (4222 command port +5 data ports for 5 maximum simultaneous connection) toward the LaCie.

fvdwsl FTP configuration:
Restricted passive ports to the 4223-4228 range (5 simultaneous connection as I may have to connect more than one computer for debugging purposes)
"Deny only"

FileZilla messages:
Connecting to …
Connection established, waiting for welcome message
Insecure server, FTP on TLS unsupported
…
Listing directory
Directory "/" listed

So the last one was successful! (Small glitch: FileZilla doesn't display the welcome message)

Still, why does it fail in active mode but not in passive mode? How do professionals configure their firewall to allow both active and passive connections to their FTP servers?

[Jocko]

Hi Cubytus

Still, why does it fail in active mode but not in passive mode? How do professionals configure their firewall to allow both active and passive connections to their FTP servers?

On professional environment, ftp server is not behind an ISP box.
Other thing, on active mode, it is the remote host (ftp client) which initializes the data channel on the data port which is a nightmare for IT security! (you open a port and you keep any remote host to do what it wants on this port) It is why the passive mode protocol has been created.

When you use the standard port (21), many ISP box/routers have FTP facilities (set quietly automatically a firewall rule on the port 22) and I assume it is not the case on your custom data port (4223).

So I suggest to make a first test by disabling your firewall on your box and see if you can get a full access on the ftp server with the active mode. Later after restoring the firewall, you need to set a firewall rule on the port 4223