John, I tried your suggestion and you were correct, it seems that plusnet do not allow the connection out then in again. FTP works from my phone. Now the next issue. I am trying to add my ftp share as a repository in YaST > Software Repositoried > Add > Specify URL i have tried ftp://192.168.0.10/ (which works in Dolphin). It either freezes on 'Checking repository type' (causing me to have to kill yast2) or it says 'Unable to create repository from URL Change the URL or try again?' The same files work over smb in another repository On 15 November 2014 18:54, John Andersen wrote:

On November 15, 2014 10:13:13 AM PST, Paul Groves wrote:

...

Hi All,

I have set up an anonymous FTP share on my FreeNAS box according to the following instructions:

http://youtu.be/wySXaTMMLoA?t=4m23s

This works fine when I access is over LAN in Dolphin and Firefox using ftp://192.168.0.10/

I have forwarded port 21 to 192.168.0.10 on my router, however when I try to access ftp://myinternetip/ it does not connect. I am faced with a loading icon for up to 10 mins in firefox before it times out and Dolphin just says it could not connect to the server after about 30 seconds.

I am able to access my owncloud successfully though. Any ideas?

Have you tried from somewhere else? Take your phone off wifi, use your cell data and try it.

Some ISPs don't allows out then in again connections to the same cable modem or router. My comcast connection won't allow this. Same symptoms.

Yet it works from anywhere else.

-- Sent from my Android phone with K-9 Mail. Please excuse my brevity.

-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 11/16/2014 12:38 PM, listreader wrote:

FTP is still relevant and still useful. The current implementation is FTPS with SSL and TLS support. Password and transfers are encrypted.

Isn't this then a completely different port then? $ grep -i ftps /etc/services | head -n4 ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps-data 989/udp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL [Christopher_Allen] ftps 990/udp # ftp protocol, control, over TLS/SSL [Christopher_Allen] Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 11/16/2014 06:55 AM, Bernhard Voelker wrote:

On 11/16/2014 12:38 PM, listreader wrote:

...

FTP is still relevant and still useful. The current implementation is FTPS with SSL and TLS support. Password and transfers are encrypted. Isn't this then a completely different port then?

$ grep -i ftps /etc/services | head -n4 ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps-data 989/udp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL [Christopher_Allen] ftps 990/udp # ftp protocol, control, over TLS/SSL [Christopher_Allen]

Have a nice day, Berny

Or SFTP on port 115. It's easy to set up on Linux. https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 11/16/2014 07:47 AM, Carlos E. R. wrote:

Huh, 115 is "Simple File Transfer Protocol", not Secure FTP (ssh ftp), over port 22.

Sorry, to many SFTPs. ;-) I must have been thinking of that because I set up a S(imple)FTP server not too long ago. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 11/16/2014 07:33 AM, James Knott wrote:

Or SFTP on port 115. It's easy to set up on Linux. https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

Another possibility is SCP. It uses SSH port 22. https://en.wikipedia.org/wiki/Secure_copy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 11/16/2014 04:33 AM, James Knott wrote:

On 11/16/2014 06:55 AM, Bernhard Voelker wrote:

...

On 11/16/2014 12:38 PM, listreader wrote:

...

FTP is still relevant and still useful. The current implementation is FTPS with SSL and TLS support. Password and transfers are encrypted. Isn't this then a completely different port then?

$ grep -i ftps /etc/services | head -n4 ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps-data 989/udp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL [Christopher_Allen] ftps 990/udp # ftp protocol, control, over TLS/SSL [Christopher_Allen]

Have a nice day, Berny

Or SFTP on port 115. It's easy to set up on Linux. https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol

Please just STOP!!!. This thread is about a NAS box, and the capabilities there in. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 11/16/2014 03:10 AM, Bernhard Voelker wrote:

FTP does not only use port 21, but also port 20.

However, other than for read-only access for data aimed to be publicly available, FTP is not the right protocol nowadays: * due to that split port 20/21 communication, setting up proper firewall rules is not easy. * the username/password is transferred unencrypted and can be read by anyone sniffing on the network. * ...

Maybe your NAS supports HTTP(S), too?

Has NOBODY ON THIS THREAD ever heard about PASSIVE mode FTP? Its drop dead simple to set up in your firewall, and unless the NAS doesn't support it, its just as simple to configure on the FTP server. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/16/2014 11:06 AM, Carlos E. R. wrote:

Why do you SHOUT at us? Why are you so aggressive?

Because none of you are addressing the OP's problem of connecting to his NAS box. He doesn't have the luxury or rewriting the interface of that device. - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlRo9ucACgkQv7M3G5+2DLKdPQCfXyVjaEeNLK97Mtyi2+0cf52W uQcAoKF0zRhzv1zhvBzk42fmvNlajbwJ =e/jh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2014-11-16 13:47, James Knott wrote:

On 11/16/2014 07:37 AM, Carlos E. R. wrote:

...

That is probably why everybody uses http instead of ftp nowdays. Or use sftp instead, which uses only port 22, and is encrypted. Far easier, and safer over internet.

I thought SFTP used port 115 and SCP used 22.

When the S is for "simple" yes, but it is normally standing for "secure". Then it is 22. :-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 2014-11-16 13:59, Anton Aylward wrote:

On 11/16/2014 07:37 AM, Carlos E. R. wrote:

...

That is probably why everybody uses http instead of ftp nowdays.

I recommend this for a number of reasons. The CGI that can be set up for a httpd transfer (using cURL or wget as a client if you want to automated or a much more friendly and informative GUI/html interface) can do much better logging, trigger events, filer and deliver, throttle and so much more.

But not upload. :-) You can use wget for all of them. The ftpd daemon is probably smaller, and triggers via xinitd, so not running till needed. Can also trigger events, I believe. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 2014-11-16 14:42, Anton Aylward wrote:

...

But not upload. :-)

Yes you can. We see plenty of web sites that allow uploading! Thing, for example of webmail sites that allow you to attach a photograph from your PC (or dating sites similar).

Ok, right, true. But I wouldn't know how to do that, quick, on my own apache, without some coding. And then upload with a simple CLI command, automated.

...

You can use wget for all of them.

The ftpd daemon is probably smaller, and triggers via xinitd, so not running till needed. Can also trigger events, I believe.

If you are going to argue 'minimalist' then yes, one can set up a very small httpd server that way. There's nothing to stop httpd requests being managed by xinetd.

Yes, I know. My multimedia embedded "center" does it, if you choose that method. Uses both ftp and http, but files are handled by the ftp server, both directions. And samba, but it only implements the client side, I think.

However I'd note that minimalist ftp servers lack many features to do with access control, logging and security. More capable ftp servers such as the "proftp" distributed with Suse ...

<quote src="http://www.proftpd.org/goals.html"> ProFTPD grew out of the desire to have a secure and configurable FTP server, and out of a significant admiration of the Apache web server.

... LOL -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 11/16/2014 06:18 AM, Anton Aylward wrote:

On 11/16/2014 08:55 AM, Carlos E. R. wrote:

...

...

On 2014-11-16 14:42, Anton Aylward wrote:

...

...

...

>But not upload.:-)

Yes you can. We see plenty of web sites that allow uploading! Thing, for example of webmail sites that allow you to attach a photograph from your PC (or dating sites similar).

Ok, right, true. But I wouldn't know how to do that, quick, on my own apache, without some coding. And then upload with a simple CLI command, automated. Off the top of my head, neither do I, so I google:

The HTML would be a simple form with a POST. Of course the server has to have write permission, just as with the ftp server, and there should be nothing in .htaccess (or selinux) that prevents it.

Most people write CGI in PHP or Perl but there's no reason not to write it in shell.

Right! Allow anyone to upload stuff to your server and use CGI! You could even use the shell! What could possibly go wrong? (think ShellShock) I've never had any issues with Internet-facing ftp servers configured to accept anonymous-only connections. There are two directories available for anonymous users, incoming and outgoing. Outgoing is read-only, incoming is write-only. This addresses the situation where people can upload/download content without having an account on the server. If Ralph needs to upload some photos for a non-profit's newsletter, I don't have to create an account for him to use scp or sftp. Even Windoze users are able to pull this off after explaining ftp to them. No one can see the uploaded files from the Internet, so you don't have the warze problem. The only downside I've seen is attempted DOS uploads to "incoming". But experience over the past decades shows they run out patience before I run out of disk space. I've been using vsftp, which is included with openSuSE. The "vs" stands for Very Secure. So far, no complaints. Is there a better way than anonymous-only vsftp, where better is easier-to-use for Windoze users and is more secure, to allow unauthenticated file uploads? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 11/16/2014 12:21 PM, Lew Wolfgang wrote:

On 11/16/2014 06:18 AM, Anton Aylward wrote:

...

On 11/16/2014 08:55 AM, Carlos E. R. wrote:

...

...

On 2014-11-16 14:42, Anton Aylward wrote:

...

...

>>But not upload.:-)

Yes you can. We see plenty of web sites that allow uploading! Thing, for example of webmail sites that allow you to attach a photograph from your PC (or dating sites similar).

Ok, right, true. But I wouldn't know how to do that, quick, on my own apache, without some coding. And then upload with a simple CLI command, automated. Off the top of my head, neither do I, so I google:

The HTML would be a simple form with a POST. Of course the server has to have write permission, just as with the ftp server, and there should be nothing in .htaccess (or selinux) that prevents it.

Most people write CGI in PHP or Perl but there's no reason not to write it in shell.

Right! Allow anyone to upload stuff to your server and use CGI! You could even use the shell! What could possibly go wrong? (think ShellShock)

You are just so missing the point, or you are ignorant of the basics of setting up/configuring a httpd server! The CGI is there to generate the html and dispose of the uploaded file and trigger other activity. The web server and its modules takes care of issue like access control and filtering. Q.v. No-one is forcing you to use shell as a CGI. You can still use Perl or PHP or Ruby or any one of a dozen other 'languages' that have been developed for making life with web servers *and* services easier. You have an amazing choice. And important point that I keep emphasising to my clients is that with web services you can do things that you can't do easily or reliably with ftp, most notably 'other triggered actions'. I had one client with high street stores and POS terminals that uploaded and consolidated the logs from the POS terminals for marketing purposes and though a chain of machines to the data centre. Four times a day, top of the hour, the Tandem Non-Stop FTPd six files to the marketing departments AIX machine and at quarter past the AIX ran a cron job that merged them into the marketing database. Only it all was done wrong wrong wrong. I could have been programmed right, with 'flag files' and checking timestamps, but it wasn't. As an example I tried figuring out what it would take at each end to make the file names unique, to add a 'all done" from the Tandem, to ensure files never got over-written, the ensure files never got merged into the database twice. Then I tried doing the same with a HTTPD based version and 'triggers' as part of the upload CGI. It was *SO* much simpler and clearer. So yes, if _all_ you want to do is upload photos its not going to make a difference, but of the ftp is part of business data flow, then using httpd/cgi makes more sense. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2014-11-17 15:49, Lew Wolfgang wrote:

Hi Anton,

The context of my reply was that anonymous ftp is vastly simpler and more secure than an ssl-enabled Apache install with CGI and some large interpretive language system, if all you need to do is allow occasional uploads from people without accounts. I've been hearing that ftp is "insecure" for decades, but show me the risk if it's set up the way I suggested. No usernames/passwords in the clear and you have to trust only one small daemon written with security in mind. More complicated business cases would certainly require more complicated solutions.

Yes, I agree with this idea. I just looked. My router, which is a home model (TP-link TD-W8970) offers FTP service to the outside, if wished. One snag is that the "list of users" allowed is the same one as the list of users with config access to the router. But you can add allow and disallow users, and create an specific user for this. [...] No, it appears you can also create a separate list of users for file sharing. 5 users, but one is the "admin". Of course, not a versatile setup, but it does exist, and it is simple. I do not use it, it is just a comment. This router also understands the FTP protocol, so that (apparently) I can tell it to pass incoming FTP connections to a computer inside, properly. I have not tested this feature, but they claim so: +++····················· Application Layer Gateway (ALG): It is recommended to enable Application Layer Gateway (ALG) because ALG allows customized Network Address Translation (NAT) traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, TFTP etc. • FTP ALG: To allow FTP clients and servers to transfer data across NAT, click Enable. • TFTP ALG: To allow TFTP clients and servers to transfer data across NAT, click Enable. • H323 ALG: To allow H323 clients and servers to transfer data across NAT, click Enable. • SIP ALG: To allow SIP clients and servers to transfer data across NAT, click Enable. ·····················++- Although I do not see how to specify the destination computer. Again, this is just a comment, I do not intend to set it up myself. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 2014-11-17 16:27, Anton Aylward wrote:

On 11/17/2014 09:49 AM, Lew Wolfgang wrote:

Example: I was at a presentation where a 'hacker demo' was based on someone leaving the TFTP port open and allowing access to ... All manner of stuff. An IT manager from a bank observed that this was ridiculous "who the hell leaves TFTP open in this day and age?!!!" The answer was "more people than you care to know about and many of them businesses with no internal security".

But tftp is not ftp. It is a different protocol, and security is not one of its features. It is used, I understand, to boot up machines via network, because it can be accessed (read) directly by network card bioses, so it was built very simply. My previous router needed that protocol on the computer in order to send it a self-backup; ie, write access. And it made me cringe. I did it as a test, then on subsequent occasions I just used the router web page instead of telnet (meaning, that via telnet cli requires tftp on the computer; http does not, on that particular router). Me, if I wanted to send files over internet, automatically, and securely, would use passwordless, key-pair, scp. Or, for home setups, even email (encrypted), because you do not need to know the destination IP and it is probably easier to automate than a shared service. Maybe. And email can esily trigger scripts. But has to be small files. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)

On 11/17/2014 08:48 AM, Anton Aylward wrote:

a Big Name ex-IBM Security Consultant who asserted that machines should be shipped with all the standard ports open and services enabled and sysadmins should be smart enough to decide which to shut down,

This is the RedHat motto as well. (Or was the last time I was forced to use RH). Everything open upon install. I like the Opensuse approach where you don't even have ssh open unless you do it yourself. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R. wrote:

On 2014-11-17 16:27, Anton Aylward wrote:

...

On 11/17/2014 09:49 AM, Lew Wolfgang wrote:

...

Example: I was at a presentation where a 'hacker demo' was based on someone leaving the TFTP port open and allowing access to ... All manner of stuff. An IT manager from a bank observed that this was ridiculous "who the hell leaves TFTP open in this day and age?!!!" The answer was "more people than you care to know about and many of them businesses with no internal security".

But tftp is not ftp. It is a different protocol, and security is not one of its features. It is used, I understand, to boot up machines via network, because it can be accessed (read) directly by network card bioses, so it was built very simply.

It is also often used for uploading/downloading firmware and/or configuration data for network switches and other hardware. -- Per Jessen, Zürich (6.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/16/2014 04:37 AM, Carlos E. R. wrote:

It is not that easy. You need a router that understands ftp, because it uses two connections: the control on port 21, and the data on another port. Worse, the data port is different on each connection. Worse, depending on using active or passive ftp, that data connection is started by the server or by the client. Thus the router has to listen on the control connection to learn which port it has to forward to where. You can check this with ethereal.

Carlos, for pete sake, buddy, have you NEVER heard of Passive mode FTP? Its checking a box on most ftp servers followed by opening a small range of ports on the firewall and pointing them to the FTP server. - ------/etc/vsftpd.conf pasv_enable=Yes pasv_max_port=21210 pasv_min_port=21200 Your router doesn't need any smarts at all. Its just forwards any incoming connection on a range of ports to the FTP server. Shorewall example: ACCEPT net $FW tcp 21200:21210 Routers don't "listen" on control connections with passive. (Indeed, routers don't "listen" at all. They either drop or route packets.) There is no complex logic necessary to handle passive ftp connections at the router. And further, the ftp server doesn’t open those ports till someone requests a transfer, so even if someone figures out what your port range is, they get nowhere, because the ftp server isn't even listening on those ports until it needs to, so the hacking packets get dropped. You make it sound like rocket science, but ftp, for both active and passive FTP was solved in routers decades ago. DECADES!!! As far as the OP is concerned, it is just a matter of whether his NAS box supports PASV, (and what ftp server doesn't these days?) - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlRo9dIACgkQv7M3G5+2DLIl/ACeKVF1ihPi4/DeRv7uiu43J2/0 yjoAn1E5UNGkknQEIK6/FzUeW0Z+T/QF =8sMq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

On 2014-11-16 13:55, Anton Aylward wrote:

FTP is an archaic protocol and one of my great hates.

:-) It baffles many people. I set it up once, then a few months later I have to read it up again.

Zeigler's book "Linux Firewalls" may be old, my copy has a copyright date of 2000, and is based on ipchains rather than iptables, but it is still authoritative about the principles. The second and later editions & revisions deal with iptables. Q.V. http://www.amazon.com/exec/obidos/ASIN/0735710996/

It is automated on SuSEfirewal2, no need to set up iptables yourself :-) The problem is the router... it depends on what it has. Some routers do offer ftp on an external usb disk, I think mine does. Dunno. Or, set the router to redirect everything, unfiltered, unmanaged, to another machine inside. This other machine would do firewall, ftp and NAT for the rest. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)