-1

I'm trying to configure my pureftpd behind the firewall to act as a passive ftp/TLS server. Acting machines:

  • Server: 192.168.3.220 (internal network, default route to the router at 192.168.3.1) Configuration: pureftpd with PassivePorts 64000 64300, MasqueradeAddress ww.xx.yy.zz (this one is configured on router)
  • Router: internal: 192.168.3.1, DNAT rule (PREROUTING chain) ww.xx.yy.zz tcp/21,64000:64300 NATed to address 192.168.3.220, FORWARD chain accepting these packets both directions.
  • Client1: external server with fixed public IP
  • Client2: NATed machine somewhere - on 192.168.5.x network

Scenario1:

- Client1: connect OK, login OK, command 'ls':
gets OK, after PASV:

---> PASV
GNUTLS: REC[0x28ecce0]: Sending Packet[9] Application Data(23) with length: 6
GNUTLS: REC[0x28ecce0]: Sent Packet[10] Application Data(23) with length: 37
GNUTLS: ASSERT: gnutls_buffers.c:322
GNUTLS: ASSERT: gnutls_buffers.c:322
GNUTLS: REC[0x28ecce0]: Expected Packet[9] Application Data(23) with length: 65536
GNUTLS: REC[0x28ecce0]: Received Packet[9] Application Data(23) with length: 64
GNUTLS: REC[0x28ecce0]: Decrypted Packet[9] Application Data(23) with length: 31
<--- 200 Protection set to Private
---> LIST
---> ABOR

Interesting thing: 227 from server, which I see in paranoid log from pureftpd, I don't see on the client - only the 200 Protection set to Private ...waits cca 30sec and reconnects using ACTIVE(!!) mode -> ls

Scenario2:

- using Client2 (sorry for czech locales):
---> USER xxxxxx
<--- 331 Password required for xxxxxx
---> PASS XXXX
<--- 230 User xxxxxx logged in    
---> PWD
<--- 230 Ls oi a:2013-01-03 21:19:00
---> PBSZ 0
<--- 257 "/" is the current directory
---> PROT P
<--- 200 PBSZ 0 successful
---> PASV
<--- 200 Protection set to Private
---> LIST
---> ABOR
---- Přerušený datový socket bude uzavřen (means closing data socket)
---- Řídicí socket bude uzavřen (means closing control socket)
---- Pasivní režim bude vypnut (means Passive will be turned off)
---- dns cache hit                                    
---- Navazuje se spojení na ftp1.xxxxxxxxx.cz (ww.xx.yy.zz) port 21
<--- 220 ww.xx.yy.zz FTP server ready

...

---> USER xxxxxx
<--- 331 Password required for xxxxxx
---> PASS XXXX
<--- 230 User xxxxxx logged in    
---> PWD
<--- 230 Ls oi a:2013-01-03 21:19:22
---> PBSZ 0
<--- 257 "/" is the current directory
---> PROT P
<--- 200 PBSZ 0 successful
---> PORT 192,168,5,xx,185,136
<--- 200 Protection set to Private
---> LIST
<--- 500 Illegal PORT command
---- Closing data socket
---> QUIT
ls: Nepřekonatelná chyba: 500 Illegal PORT command
<--- 425 Unable to build data connection: Connection refused

iptables on the NAT machine don't increase my accounting counters on ports 64000:64300, so I expect there's no passive connection made at all.

tloudev
  • 19
  • 5
  • maybe one more comment: there are more IP addresses on the WAN interface of the router. In scenario1, when the active connection works, it's NOT from ww.xx.yy.zz:20, but aa.bb.cc.dd:45678 (masqueraded one). This can be fixed by SNAT rule on the firewall, SNATting packets from 192.168.3.220 to ww.xx.yy.zz, but it shouldn't affect the passive connections. right? Thank you for any hint. – tloudev Jan 03 '13 at 21:37

1 Answers1

0

So... the real problem was the second 230 reply:

 ---> PWD
 <--- 230 Ls oi a:2013-01-03 21:19:22

This is a known issue of the PureFTPd 1.3.3a (default debian squeeze) The solution was to compile PureFTPd from wheezy (1.3.4a-2), now everything works fine. Thank you all, who tried to figure out what's going on. Tldv

tloudev
  • 19
  • 5