Hi All, I have set up an anonymous FTP share on my FreeNAS box according to the following instructions: http://youtu.be/wySXaTMMLoA?t=4m23s This works fine when I access is over LAN in Dolphin and Firefox using ftp://192.168.0.10/ I have forwarded port 21 to 192.168.0.10 on my router, however when I try to access ftp://myinternetip/ it does not connect. I am faced with a loading icon for up to 10 mins in firefox before it times out and Dolphin just says it could not connect to the server after about 30 seconds. I am able to access my owncloud successfully though. Any ideas? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On November 15, 2014 10:13:13 AM PST, Paul Groves
Hi All,
I have set up an anonymous FTP share on my FreeNAS box according to the following instructions:
http://youtu.be/wySXaTMMLoA?t=4m23s
This works fine when I access is over LAN in Dolphin and Firefox using ftp://192.168.0.10/
I have forwarded port 21 to 192.168.0.10 on my router, however when I try to access ftp://myinternetip/ it does not connect. I am faced with a loading icon for up to 10 mins in firefox before it times out and Dolphin just says it could not connect to the server after about 30 seconds.
I am able to access my owncloud successfully though. Any ideas?
Have you tried from somewhere else? Take your phone off wifi, use your cell data and try it. Some ISPs don't allows out then in again connections to the same cable modem or router. My comcast connection won't allow this. Same symptoms. Yet it works from anywhere else. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Thanks I will try this this evening
On 15 November 2014 18:54, John Andersen
On November 15, 2014 10:13:13 AM PST, Paul Groves
wrote: Hi All,
I have set up an anonymous FTP share on my FreeNAS box according to the following instructions:
http://youtu.be/wySXaTMMLoA?t=4m23s
This works fine when I access is over LAN in Dolphin and Firefox using ftp://192.168.0.10/
I have forwarded port 21 to 192.168.0.10 on my router, however when I try to access ftp://myinternetip/ it does not connect. I am faced with a loading icon for up to 10 mins in firefox before it times out and Dolphin just says it could not connect to the server after about 30 seconds.
I am able to access my owncloud successfully though. Any ideas?
Have you tried from somewhere else? Take your phone off wifi, use your cell data and try it.
Some ISPs don't allows out then in again connections to the same cable modem or router. My comcast connection won't allow this. Same symptoms.
Yet it works from anywhere else.
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John, I tried your suggestion and you were correct, it seems that
plusnet do not allow the connection out then in again. FTP works from
my phone.
Now the next issue. I am trying to add my ftp share as a repository in
YaST > Software Repositoried > Add > Specify URL
i have tried ftp://192.168.0.10/ (which works in Dolphin). It either
freezes on 'Checking repository type' (causing me to have to kill
yast2) or it says 'Unable to create repository from URL Change the URL
or try again?'
The same files work over smb in another repository
On 15 November 2014 18:54, John Andersen
On November 15, 2014 10:13:13 AM PST, Paul Groves
wrote: Hi All,
I have set up an anonymous FTP share on my FreeNAS box according to the following instructions:
http://youtu.be/wySXaTMMLoA?t=4m23s
This works fine when I access is over LAN in Dolphin and Firefox using ftp://192.168.0.10/
I have forwarded port 21 to 192.168.0.10 on my router, however when I try to access ftp://myinternetip/ it does not connect. I am faced with a loading icon for up to 10 mins in firefox before it times out and Dolphin just says it could not connect to the server after about 30 seconds.
I am able to access my owncloud successfully though. Any ideas?
Have you tried from somewhere else? Take your phone off wifi, use your cell data and try it.
Some ISPs don't allows out then in again connections to the same cable modem or router. My comcast connection won't allow this. Same symptoms.
Yet it works from anywhere else.
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/17/2014 01:12 PM, Paul Groves wrote:
John, I tried your suggestion and you were correct, it seems that plusnet do not allow the connection out then in again. FTP works from my phone.
As long as you are using IP names you will never get around this. But if you switch to a Dynamic DNS name from one of the free services you can work around this by a split horizon DNS server on your linux box or just telling your router that paulsbox.myip.net routes to 192.168.0.10 and that same dns name will work from everywhere.
Now the next issue. I am trying to add my ftp share as a repository in YaST > Software Repositoried > Add > Specify URL
i have tried ftp://192.168.0.10/ (which works in Dolphin). It either freezes on 'Checking repository type' (causing me to have to kill yast2) or it says 'Unable to create repository from URL Change the URL or try again?'
The same files work over smb in another repository
Well chances are that the repository Yast is looking for is not a the root but rather at some sub-directory. As best I remember about setting a private repository, You had to specify the directory with the .repo in it. In Yast, there is a radio button that says Edit Complete URL vs Edit Parts of the URL. Try checking that and see if it is easier to enter. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/15/2014 07:13 PM, Paul Groves wrote:
Hi All,
I have set up an anonymous FTP share on my FreeNAS box according to the following instructions:
http://youtu.be/wySXaTMMLoA?t=4m23s
This works fine when I access is over LAN in Dolphin and Firefox using ftp://192.168.0.10/
I have forwarded port 21 to 192.168.0.10 on my router, however when I try to access ftp://myinternetip/ it does not connect.
FTP does not only use port 21, but also port 20. However, other than for read-only access for data aimed to be publicly available, FTP is not the right protocol nowadays: * due to that split port 20/21 communication, setting up proper firewall rules is not easy. * the username/password is transferred unencrypted and can be read by anyone sniffing on the network. * ... Maybe your NAS supports HTTP(S), too? Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 16 Nov 2014 12:10:08 +0100
Bernhard Voelker
However, other than for read-only access for data aimed to be publicly available, FTP is not the right protocol nowadays: * due to that split port 20/21 communication, setting up proper firewall rules is not easy. * the username/password is transferred unencrypted and can be read by anyone sniffing on the network. * ...
FTP is still relevant and still useful. The current implementation is FTPS with SSL and TLS support. Password and transfers are encrypted. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/16/2014 12:38 PM, listreader wrote:
FTP is still relevant and still useful. The current implementation is FTPS with SSL and TLS support. Password and transfers are encrypted.
Isn't this then a completely different port then? $ grep -i ftps /etc/services | head -n4 ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps-data 989/udp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL [Christopher_Allen] ftps 990/udp # ftp protocol, control, over TLS/SSL [Christopher_Allen] Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 16 Nov 2014 12:55:21 +0100
Bernhard Voelker
On 11/16/2014 12:38 PM, listreader wrote:
FTP is still relevant and still useful. The current implementation is FTPS with SSL and TLS support. Password and transfers are encrypted.
Isn't this then a completely different port then?
$ grep -i ftps /etc/services | head -n4 ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps-data 989/udp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL [Christopher_Allen] ftps 990/udp # ftp protocol, control, over TLS/SSL [Christopher_Allen]
Berny, I think I am missing your point, please expand. Yes, 21 or 990 can be configured... Ralph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/16/2014 06:55 AM, Bernhard Voelker wrote:
On 11/16/2014 12:38 PM, listreader wrote:
FTP is still relevant and still useful. The current implementation is FTPS with SSL and TLS support. Password and transfers are encrypted. Isn't this then a completely different port then?
$ grep -i ftps /etc/services | head -n4 ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps-data 989/udp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL [Christopher_Allen] ftps 990/udp # ftp protocol, control, over TLS/SSL [Christopher_Allen]
Have a nice day, Berny
Or SFTP on port 115. It's easy to set up on Linux. https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-16 13:33, James Knott wrote:
Or SFTP on port 115. It's easy to set up on Linux. https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
Huh, 115 is "Simple File Transfer Protocol", not Secure FTP (ssh ftp), over port 22. cer@Telcontar:~> sftp cer@192.168.1.15 Password: Connected to 192.168.1.15. sftp> cer@Telcontar:~> netstat -pant | grep 192.168.1.15 (Not all processes could be identified, non-owned process info will not be shown, you would have to be root to see it all.) tcp 0 0 192.168.1.14:34242 192.168.1.15:22 ESTABLISHED 498/ssh cer@Telcontar:~> -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/16/2014 07:47 AM, Carlos E. R. wrote:
Huh, 115 is "Simple File Transfer Protocol", not Secure FTP (ssh ftp), over port 22.
Sorry, to many SFTPs. ;-) I must have been thinking of that because I set up a S(imple)FTP server not too long ago. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-16 13:50, James Knott wrote:
On 11/16/2014 07:47 AM, Carlos E. R. wrote:
Huh, 115 is "Simple File Transfer Protocol", not Secure FTP (ssh ftp), over port 22.
Sorry, to many SFTPs. ;-)
I must have been thinking of that because I set up a S(imple)FTP server not too long ago.
I know, it is confusing. There is also ftps :-p -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/16/2014 07:33 AM, James Knott wrote:
Or SFTP on port 115. It's easy to set up on Linux. https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
Another possibility is SCP. It uses SSH port 22. https://en.wikipedia.org/wiki/Secure_copy -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-16 13:53, James Knott wrote:
On 11/16/2014 07:33 AM, James Knott wrote:
Or SFTP on port 115. It's easy to set up on Linux. https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
Another possibility is SCP. It uses SSH port 22. https://en.wikipedia.org/wiki/Secure_copy
It is almost the same as sftp, but with a different client program. The daemon is the same one, sshd, I believe (unverified). At least sshd is the one listening, it might handle over to something else. I'd have to read the manual to find out details, or check ps tree. Lazy. Busy. Choose :-p -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/16/2014 04:33 AM, James Knott wrote:
On 11/16/2014 06:55 AM, Bernhard Voelker wrote:
On 11/16/2014 12:38 PM, listreader wrote:
FTP is still relevant and still useful. The current implementation is FTPS with SSL and TLS support. Password and transfers are encrypted. Isn't this then a completely different port then?
$ grep -i ftps /etc/services | head -n4 ftps-data 989/tcp # ftp protocol, data, over TLS/SSL ftps-data 989/udp # ftp protocol, data, over TLS/SSL ftps 990/tcp # ftp protocol, control, over TLS/SSL [Christopher_Allen] ftps 990/udp # ftp protocol, control, over TLS/SSL [Christopher_Allen]
Have a nice day, Berny
Or SFTP on port 115. It's easy to set up on Linux. https://en.wikipedia.org/wiki/SSH_File_Transfer_Protocol
Please just STOP!!!. This thread is about a NAS box, and the capabilities there in. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/16/2014 01:50 PM, John Andersen wrote:
This thread is about a NAS box, and the capabilities there in.
Assuming the NAS box is on the local network, there's no reason it can't be mounted on a local "server" and shared using a more secure protocol. Unless the OP needs anonymous FTP, there are better ways of doing this. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/16/2014 03:10 AM, Bernhard Voelker wrote:
FTP does not only use port 21, but also port 20.
However, other than for read-only access for data aimed to be publicly available, FTP is not the right protocol nowadays: * due to that split port 20/21 communication, setting up proper firewall rules is not easy. * the username/password is transferred unencrypted and can be read by anyone sniffing on the network. * ...
Maybe your NAS supports HTTP(S), too?
Has NOBODY ON THIS THREAD ever heard about PASSIVE mode FTP? Its drop dead simple to set up in your firewall, and unless the NAS doesn't support it, its just as simple to configure on the FTP server. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/16/2014 11:06 AM, Carlos E. R. wrote:
Why do you SHOUT at us? Why are you so aggressive?
Because none of you are addressing the OP's problem of connecting to his NAS box. He doesn't have the luxury or rewriting the interface of that device. - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlRo9ucACgkQv7M3G5+2DLKdPQCfXyVjaEeNLK97Mtyi2+0cf52W uQcAoKF0zRhzv1zhvBzk42fmvNlajbwJ =e/jh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-16 20:11, John Andersen wrote:
On 11/16/2014 11:06 AM, Carlos E. R. wrote:
Why do you SHOUT at us? Why are you so aggressive?
Because none of you are addressing the OP's problem of connecting to his NAS box. He doesn't have the luxury or rewriting the interface of that device.
And that entitles /you/ to shout at us? Do you enjoy shouting at us, perhaps? -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2014-11-15 19:13, Paul Groves wrote:
This works fine when I access is over LAN in Dolphin and Firefox using ftp://192.168.0.10/
I have forwarded port 21 to 192.168.0.10 on my router, however when I try to access ftp://myinternetip/ it does not connect. I am faced with a loading icon for up to 10 mins in firefox before it times out and Dolphin just says it could not connect to the server after about 30 seconds.
It is not that easy. You need a router that understands ftp, because it uses two connections: the control on port 21, and the data on another port. Worse, the data port is different on each connection. Worse, depending on using active or passive ftp, that data connection is started by the server or by the client. Thus the router has to listen on the control connection to learn which port it has to forward to where. You can check this with ethereal. There is a fairly good explanation of ftp in the wikipedia. Depending on the mode being active or passive, the difficulty is on the server or on the client. You could experiment. That is probably why everybody uses http instead of ftp nowdays. Or use sftp instead, which uses only port 22, and is encrypted. Far easier, and safer over internet. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/16/2014 07:37 AM, Carlos E. R. wrote:
That is probably why everybody uses http instead of ftp nowdays. Or use sftp instead, which uses only port 22, and is encrypted. Far easier, and safer over internet.
I thought SFTP used port 115 and SCP used 22. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-16 13:47, James Knott wrote:
On 11/16/2014 07:37 AM, Carlos E. R. wrote:
That is probably why everybody uses http instead of ftp nowdays. Or use sftp instead, which uses only port 22, and is encrypted. Far easier, and safer over internet.
I thought SFTP used port 115 and SCP used 22.
When the S is for "simple" yes, but it is normally standing for "secure". Then it is 22. :-) -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/16/2014 07:37 AM, Carlos E. R. wrote:
That is probably why everybody uses http instead of ftp nowdays.
I recommend this for a number of reasons. The CGI that can be set up for a httpd transfer (using cURL or wget as a client if you want to automated or a much more friendly and informative GUI/html interface) can do much better logging, trigger events, filer and deliver, throttle and so much more. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-16 13:59, Anton Aylward wrote:
On 11/16/2014 07:37 AM, Carlos E. R. wrote:
That is probably why everybody uses http instead of ftp nowdays.
I recommend this for a number of reasons. The CGI that can be set up for a httpd transfer (using cURL or wget as a client if you want to automated or a much more friendly and informative GUI/html interface) can do much better logging, trigger events, filer and deliver, throttle and so much more.
But not upload. :-) You can use wget for all of them. The ftpd daemon is probably smaller, and triggers via xinitd, so not running till needed. Can also trigger events, I believe. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/16/2014 08:15 AM, Carlos E. R. wrote:
On 2014-11-16 13:59, Anton Aylward wrote:
On 11/16/2014 07:37 AM, Carlos E. R. wrote:
That is probably why everybody uses http instead of ftp nowdays.
I recommend this for a number of reasons. The CGI that can be set up for a httpd transfer (using cURL or wget as a client if you want to automated or a much more friendly and informative GUI/html interface) can do much better logging, trigger events, filer and deliver, throttle and so much more.
But not upload. :-)
Yes you can. We see plenty of web sites that allow uploading! Thing, for example of webmail sites that allow you to attach a photograph from your PC (or dating sites similar).
You can use wget for all of them.
The ftpd daemon is probably smaller, and triggers via xinitd, so not running till needed. Can also trigger events, I believe.
If you are going to argue 'minimalist' then yes, one can set up a very small httpd server that way. There's nothing to stop httpd requests being managed by xinetd. However I'd note that minimalist ftp servers lack many features to do with access control, logging and security. More capable ftp servers such as the "proftp" distributed with Suse ... <quote src="http://www.proftpd.org/goals.html"> ProFTPD grew out of the desire to have a secure and configurable FTP server, and out of a significant admiration of the Apache web server. When the Project began, the most commonly used server was wu-ftpd. While wu-ftpd provides excellent performance and is generally a good product, it lacks numerous features found in newer Win32 FTP servers and has a poor security history. Many people, including the developers who work on ProFTPD, had spent a great deal of time fixing bugs and hacking features into wu-ftpd. Unfortunately, it quickly became clear that a complete redesign was necessary in order to implement the reconfigurability and features desired. In addition to wu-ftpd, there are a few of other FTP servers available which are designed to be light-weight and secure at the expense of configurability. For example, Troll FTP is an excellent FTP daemon which is considerably more secure and less resource-intensive than wu-ftpd. Unfortunately, while it is quite suitable for basic FTP services, it does not offer the feature set required for more sophisticated FTP sites. </quote> http://www.proftpd.org/features.html * light weight * configurable * secure Wrote-- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-16 14:42, Anton Aylward wrote:
But not upload. :-)
Yes you can. We see plenty of web sites that allow uploading! Thing, for example of webmail sites that allow you to attach a photograph from your PC (or dating sites similar).
Ok, right, true. But I wouldn't know how to do that, quick, on my own apache, without some coding. And then upload with a simple CLI command, automated.
You can use wget for all of them.
The ftpd daemon is probably smaller, and triggers via xinitd, so not running till needed. Can also trigger events, I believe.
If you are going to argue 'minimalist' then yes, one can set up a very small httpd server that way. There's nothing to stop httpd requests being managed by xinetd.
Yes, I know. My multimedia embedded "center" does it, if you choose that method. Uses both ftp and http, but files are handled by the ftp server, both directions. And samba, but it only implements the client side, I think.
However I'd note that minimalist ftp servers lack many features to do with access control, logging and security. More capable ftp servers such as the "proftp" distributed with Suse ...
<quote src="http://www.proftpd.org/goals.html"> ProFTPD grew out of the desire to have a secure and configurable FTP server, and out of a significant admiration of the Apache web server.
... LOL -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/16/2014 08:55 AM, Carlos E. R. wrote:
On 2014-11-16 14:42, Anton Aylward wrote:
But not upload. :-)
Yes you can. We see plenty of web sites that allow uploading! Thing, for example of webmail sites that allow you to attach a photograph from your PC (or dating sites similar).
Ok, right, true. But I wouldn't know how to do that, quick, on my own apache, without some coding. And then upload with a simple CLI command, automated.
Off the top of my head, neither do I, so I google: The HTML would be a simple form with a POST. Of course the server has to have write permission, just as with the ftp server, and there should be nothing in .htaccess (or selinux) that prevents it. Most people write CGI in PHP or Perl but there's no reason not to write it in shell.
You can use wget for all of them.
Or CURL <quote src="man page for curl"> -d, --data <data> (HTTP) Sends the specified data in a POST request to the HTTP server, in the same way that a browser does when a user has filled in an HTML form and presses the submit button. This will cause curl to pass the data to the server using the content-type application/x-www-form-urlencoded. Compare to -F, --form. -d, --data is the same as --data-ascii. To post data purely binary, you should instead use the --data-binary option. To URL-encode the value of a form field you may use --data-urlencode. If any of these options is used more than once on the same command line, the data pieces specified will be merged together with a separating &-symbol. Thus, using '-d name=daniel -d skill=lousy' would generate a post chunk that looks like 'name=daniel&skill=lousy'. Wrote </quote> There are more options to deal with encoded data and so forth. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/16/2014 06:18 AM, Anton Aylward wrote:
On 11/16/2014 08:55 AM, Carlos E. R. wrote:
On 2014-11-16 14:42, Anton Aylward wrote:
>But not upload.:-)
Yes you can. We see plenty of web sites that allow uploading! Thing, for example of webmail sites that allow you to attach a photograph from your PC (or dating sites similar).
Ok, right, true. But I wouldn't know how to do that, quick, on my own apache, without some coding. And then upload with a simple CLI command, automated. Off the top of my head, neither do I, so I google:
The HTML would be a simple form with a POST. Of course the server has to have write permission, just as with the ftp server, and there should be nothing in .htaccess (or selinux) that prevents it.
Most people write CGI in PHP or Perl but there's no reason not to write it in shell.
Right! Allow anyone to upload stuff to your server and use CGI! You could even use the shell! What could possibly go wrong? (think ShellShock) I've never had any issues with Internet-facing ftp servers configured to accept anonymous-only connections. There are two directories available for anonymous users, incoming and outgoing. Outgoing is read-only, incoming is write-only. This addresses the situation where people can upload/download content without having an account on the server. If Ralph needs to upload some photos for a non-profit's newsletter, I don't have to create an account for him to use scp or sftp. Even Windoze users are able to pull this off after explaining ftp to them. No one can see the uploaded files from the Internet, so you don't have the warze problem. The only downside I've seen is attempted DOS uploads to "incoming". But experience over the past decades shows they run out patience before I run out of disk space. I've been using vsftp, which is included with openSuSE. The "vs" stands for Very Secure. So far, no complaints. Is there a better way than anonymous-only vsftp, where better is easier-to-use for Windoze users and is more secure, to allow unauthenticated file uploads? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/16/2014 12:21 PM, Lew Wolfgang wrote:
incoming is write-only
I guess it uses write only memory. ;-) http://www4.vmi.edu/faculty/squirejc//Research/IC_Datasheets/digital_cmos/Wr... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/16/2014 12:21 PM, Lew Wolfgang wrote:
On 11/16/2014 06:18 AM, Anton Aylward wrote:
On 11/16/2014 08:55 AM, Carlos E. R. wrote:
On 2014-11-16 14:42, Anton Aylward wrote:
>>But not upload.:-)
Yes you can. We see plenty of web sites that allow uploading! Thing, for example of webmail sites that allow you to attach a photograph from your PC (or dating sites similar).
Ok, right, true. But I wouldn't know how to do that, quick, on my own apache, without some coding. And then upload with a simple CLI command, automated. Off the top of my head, neither do I, so I google:
The HTML would be a simple form with a POST. Of course the server has to have write permission, just as with the ftp server, and there should be nothing in .htaccess (or selinux) that prevents it.
Most people write CGI in PHP or Perl but there's no reason not to write it in shell.
Right! Allow anyone to upload stuff to your server and use CGI! You could even use the shell! What could possibly go wrong? (think ShellShock)
You are just so missing the point, or you are ignorant of the basics of setting up/configuring a httpd server! The CGI is there to generate the html and dispose of the uploaded file and trigger other activity. The web server and its modules takes care of issue like access control and filtering. Q.v. No-one is forcing you to use shell as a CGI. You can still use Perl or PHP or Ruby or any one of a dozen other 'languages' that have been developed for making life with web servers *and* services easier. You have an amazing choice. And important point that I keep emphasising to my clients is that with web services you can do things that you can't do easily or reliably with ftp, most notably 'other triggered actions'. I had one client with high street stores and POS terminals that uploaded and consolidated the logs from the POS terminals for marketing purposes and though a chain of machines to the data centre. Four times a day, top of the hour, the Tandem Non-Stop FTPd six files to the marketing departments AIX machine and at quarter past the AIX ran a cron job that merged them into the marketing database. Only it all was done wrong wrong wrong. I could have been programmed right, with 'flag files' and checking timestamps, but it wasn't. As an example I tried figuring out what it would take at each end to make the file names unique, to add a 'all done" from the Tandem, to ensure files never got over-written, the ensure files never got merged into the database twice. Then I tried doing the same with a HTTPD based version and 'triggers' as part of the upload CGI. It was *SO* much simpler and clearer. So yes, if _all_ you want to do is upload photos its not going to make a difference, but of the ftp is part of business data flow, then using httpd/cgi makes more sense. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/16/2014 10:29 AM, Anton Aylward wrote:
Right! Allow anyone to upload stuff to your server and use CGI! You could
even use the shell! What could possibly go wrong? (think ShellShock) You are just so missing the point, or you are ignorant of the basics of setting up/configuring a httpd server!
The CGI is there to generate the html and dispose of the uploaded file and trigger other activity.
Hi Anton, The context of my reply was that anonymous ftp is vastly simpler and more secure than an ssl-enabled Apache install with CGI and some large interpretive language system, if all you need to do is allow occasional uploads from people without accounts. I've been hearing that ftp is "insecure" for decades, but show me the risk if it's set up the way I suggested. No usernames/passwords in the clear and you have to trust only one small daemon written with security in mind. More complicated business cases would certainly require more complicated solutions. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-17 15:49, Lew Wolfgang wrote:
Hi Anton,
The context of my reply was that anonymous ftp is vastly simpler and more secure than an ssl-enabled Apache install with CGI and some large interpretive language system, if all you need to do is allow occasional uploads from people without accounts. I've been hearing that ftp is "insecure" for decades, but show me the risk if it's set up the way I suggested. No usernames/passwords in the clear and you have to trust only one small daemon written with security in mind. More complicated business cases would certainly require more complicated solutions.
Yes, I agree with this idea. I just looked. My router, which is a home model (TP-link TD-W8970) offers FTP service to the outside, if wished. One snag is that the "list of users" allowed is the same one as the list of users with config access to the router. But you can add allow and disallow users, and create an specific user for this. [...] No, it appears you can also create a separate list of users for file sharing. 5 users, but one is the "admin". Of course, not a versatile setup, but it does exist, and it is simple. I do not use it, it is just a comment. This router also understands the FTP protocol, so that (apparently) I can tell it to pass incoming FTP connections to a computer inside, properly. I have not tested this feature, but they claim so: +++····················· Application Layer Gateway (ALG): It is recommended to enable Application Layer Gateway (ALG) because ALG allows customized Network Address Translation (NAT) traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, TFTP etc. • FTP ALG: To allow FTP clients and servers to transfer data across NAT, click Enable. • TFTP ALG: To allow TFTP clients and servers to transfer data across NAT, click Enable. • H323 ALG: To allow H323 clients and servers to transfer data across NAT, click Enable. • SIP ALG: To allow SIP clients and servers to transfer data across NAT, click Enable. ·····················++- Although I do not see how to specify the destination computer. Again, this is just a comment, I do not intend to set it up myself. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/17/2014 09:49 AM, Lew Wolfgang wrote:
More complicated business cases would certainly require more complicated solutions.
And that's the sucker punch! Once business gets the idea that files need to be transferred as part of a business process then 'FTP' -- the idea that files should be transferred using the FTP protocol -- is a big problem and a high risk. BTDT seen it happen many, many times. Some people won't learn from other's mistakes. Take a "well it doesn't apply to me" attitude even when it does. No argument with ftp in the small as you describe, so long as its about containment. But where do you draw the boundary? There's an old anti-security argument that goes "I'm too small for the hackers to bother with". It needs revisiting. Small businesses set up by practitioners who haven't addressed the risks are a disaster waiting to happen. Many of us have done the BTDT cleanups from those cases. Example: I was at a presentation where a 'hacker demo' was based on someone leaving the TFTP port open and allowing access to ... All manner of stuff. An IT manager from a bank observed that this was ridiculous "who the hell leaves TFTP open in this day and age?!!!" The answer was "more people than you care to know about and many of them businesses with no internal security". Some of those small businesses grow but never revise their policy. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-17 16:27, Anton Aylward wrote:
On 11/17/2014 09:49 AM, Lew Wolfgang wrote:
Example: I was at a presentation where a 'hacker demo' was based on someone leaving the TFTP port open and allowing access to ... All manner of stuff. An IT manager from a bank observed that this was ridiculous "who the hell leaves TFTP open in this day and age?!!!" The answer was "more people than you care to know about and many of them businesses with no internal security".
But tftp is not ftp. It is a different protocol, and security is not one of its features. It is used, I understand, to boot up machines via network, because it can be accessed (read) directly by network card bioses, so it was built very simply. My previous router needed that protocol on the computer in order to send it a self-backup; ie, write access. And it made me cringe. I did it as a test, then on subsequent occasions I just used the router web page instead of telnet (meaning, that via telnet cli requires tftp on the computer; http does not, on that particular router). Me, if I wanted to send files over internet, automatically, and securely, would use passwordless, key-pair, scp. Or, for home setups, even email (encrypted), because you do not need to know the destination IP and it is probably easier to automate than a shared service. Maybe. And email can esily trigger scripts. But has to be small files. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 11/17/2014 10:42 AM, Carlos E. R. wrote:
But tftp is not ftp. It is a different protocol, and security is not one of its features. It is used, I understand, to boot up machines via network, because it can be accessed (read) directly by network card bioses, so it was built very simply.
Yes, that's my point. Its another archaic "anonymous ftp" protocol being used you of context. It unsecurable and was used to bootstrap 'small' semi-autonomous semi-smart devices such as terminals in the early days of networking when memory/storage was still expensive yamma yamma yamma. It should not have been exposed on the WAN! I'm sorry to say that there was - still is as far as I know - a Big Name ex-IBM Security Consultant who asserted that machines should be shipped with all the standard ports open and services enabled and sysadmins should be smart enough to decide which to shut down, since shipping with them closed would inconvenience users and 'availability' is what counts. (And yes, TFTP was included.) I berated him for this on a public forum, but he was the Big Important Well Known Guy Wearing Suit and I was just a unknown sysadmin mouthing off, who do you think got ignored? Well look how systems ship today. One cannot assume that the Internet is benign. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/17/2014 08:48 AM, Anton Aylward wrote:
a Big Name ex-IBM Security Consultant who asserted that machines should be shipped with all the standard ports open and services enabled and sysadmins should be smart enough to decide which to shut down,
This is the RedHat motto as well. (Or was the last time I was forced to use RH). Everything open upon install. I like the Opensuse approach where you don't even have ssh open unless you do it yourself. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/17/2014 06:28 PM, John Andersen wrote:
On 11/17/2014 08:48 AM, Anton Aylward wrote:
a Big Name ex-IBM Security Consultant who asserted that machines should be shipped with all the standard ports open and services enabled and sysadmins should be smart enough to decide which to shut down,
This is the RedHat motto as well. (Or was the last time I was forced to use RH). Everything open upon install.
I like the Opensuse approach where you don't even have ssh open unless you do it yourself.
So do I. I believe that if a user needs something that is lacking he will ask for it. The BOFH can then set things up so that when he tries using it all his files disappear. :-) -- You need only reflect that one of the best ways to get yourself a reputation as a dangerous citizen these days is to go about repeating the very phrases which our founding fathers used in the great struggle for independence. -- Attributed to Charles Austin Beard (1874-1948) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2014-11-17 16:27, Anton Aylward wrote:
On 11/17/2014 09:49 AM, Lew Wolfgang wrote:
Example: I was at a presentation where a 'hacker demo' was based on someone leaving the TFTP port open and allowing access to ... All manner of stuff. An IT manager from a bank observed that this was ridiculous "who the hell leaves TFTP open in this day and age?!!!" The answer was "more people than you care to know about and many of them businesses with no internal security".
But tftp is not ftp. It is a different protocol, and security is not one of its features. It is used, I understand, to boot up machines via network, because it can be accessed (read) directly by network card bioses, so it was built very simply.
It is also often used for uploading/downloading firmware and/or configuration data for network switches and other hardware. -- Per Jessen, Zürich (6.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/16/2014 04:59 AM, Anton Aylward wrote:
On 11/16/2014 07:37 AM, Carlos E. R. wrote:
That is probably why everybody uses http instead of ftp nowdays.
I recommend this for a number of reasons. The CGI that can be set up for a httpd transfer (using cURL or wget as a client if you want to automated or a much more friendly and informative GUI/html interface) can do much better logging, trigger events, filer and deliver, throttle and so much more.
Really? Its amazing you can know what capabilities are in the OP's NAS box. You've wandered off topic here. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/16/2014 04:37 AM, Carlos E. R. wrote:
It is not that easy. You need a router that understands ftp, because it uses two connections: the control on port 21, and the data on another port. Worse, the data port is different on each connection. Worse, depending on using active or passive ftp, that data connection is started by the server or by the client. Thus the router has to listen on the control connection to learn which port it has to forward to where. You can check this with ethereal.
Carlos, for pete sake, buddy, have you NEVER heard of Passive mode FTP? Its checking a box on most ftp servers followed by opening a small range of ports on the firewall and pointing them to the FTP server. - ------/etc/vsftpd.conf pasv_enable=Yes pasv_max_port=21210 pasv_min_port=21200 Your router doesn't need any smarts at all. Its just forwards any incoming connection on a range of ports to the FTP server. Shorewall example: ACCEPT net $FW tcp 21200:21210 Routers don't "listen" on control connections with passive. (Indeed, routers don't "listen" at all. They either drop or route packets.) There is no complex logic necessary to handle passive ftp connections at the router. And further, the ftp server doesn’t open those ports till someone requests a transfer, so even if someone figures out what your port range is, they get nowhere, because the ftp server isn't even listening on those ports until it needs to, so the hacking packets get dropped. You make it sound like rocket science, but ftp, for both active and passive FTP was solved in routers decades ago. DECADES!!! As far as the OP is concerned, it is just a matter of whether his NAS box supports PASV, (and what ftp server doesn't these days?) - -- After all is said and done, more is said than done. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlRo9dIACgkQv7M3G5+2DLIl/ACeKVF1ihPi4/DeRv7uiu43J2/0 yjoAn1E5UNGkknQEIK6/FzUeW0Z+T/QF =8sMq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/15/2014 01:13 PM, Paul Groves wrote:
Hi All,
I have set up an anonymous FTP share on my FreeNAS box according to the following instructions:
http://youtu.be/wySXaTMMLoA?t=4m23s
This works fine when I access is over LAN in Dolphin and Firefox using ftp://192.168.0.10/
I have forwarded port 21 to 192.168.0.10 on my router, however when I try to access ftp://myinternetip/ it does not connect. I am faced with a loading icon for up to 10 mins in firefox before it times out and Dolphin just says it could not connect to the server after about 30 seconds.
I am able to access my owncloud successfully though. Any ideas?
FTP is an archaic protocol and one of my great hates. We are used to every other protocol, http, smtp and so on, using just the one channel. This is not the case for FTP, it needs two channels, it separates out command and control. Sadly the second channel/back channel is determined at run time. <quote src="http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html"> Unless a client program explicitly requests a specific port number, the port number used is an ephemeral port number. Ephemeral ports are temporary ports assigned by a machine's IP stack, and are assigned from a designated range of ports for this purpose. </quote> Some smart FTP firewalls inspect the packet content to determine the data channel and set up a port opening for that. There *are* ways to set up FTP with a fixed -- or predetermined -- channel assignment, they are well documented, but PLEASE do not take YouTube to be an authority in this matter! Please see the difference between "Active" and "Passive" FTP. http://slacksite.com/other/ftp.html Zeigler's book "Linux Firewalls" may be old, my copy has a copyright date of 2000, and is based on ipchains rather than iptables, but it is still authoritative about the principles. The second and later editions & revisions deal with iptables. Q.V. http://www.amazon.com/exec/obidos/ASIN/0735710996/ Later editions: http://www.amazon.com/Linux-Firewalls-Edition-Steve-Suehring/dp/0672327716 http://twitpic.com/clc8p0 http://digitalbooksonlinenow.com/Linux-Firewalls/p109957/?id=78 http://www.amazon.com/Linux-Firewalls-Edition-Steve-Suehring-ebook/dp/B000RH... Also http://www.amazon.com/Red-Linux-Firewalls-Bill-McCarty/dp/0764524631 -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-11-16 13:55, Anton Aylward wrote:
FTP is an archaic protocol and one of my great hates.
:-) It baffles many people. I set it up once, then a few months later I have to read it up again.
Zeigler's book "Linux Firewalls" may be old, my copy has a copyright date of 2000, and is based on ipchains rather than iptables, but it is still authoritative about the principles. The second and later editions & revisions deal with iptables. Q.V. http://www.amazon.com/exec/obidos/ASIN/0735710996/
It is automated on SuSEfirewal2, no need to set up iptables yourself :-) The problem is the router... it depends on what it has. Some routers do offer ftp on an external usb disk, I think mine does. Dunno. Or, set the router to redirect everything, unfiltered, unmanaged, to another machine inside. This other machine would do firewall, ftp and NAT for the rest. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Yes, yes, good rant, but do you have an actual solution to his specific problem, or do you just enjoy the view from atop your soap box?
On November 16, 2014 4:55:00 AM PST, Anton Aylward
On 11/15/2014 01:13 PM, Paul Groves wrote:
Hi All,
I have set up an anonymous FTP share on my FreeNAS box according to the following instructions:
http://youtu.be/wySXaTMMLoA?t=4m23s
This works fine when I access is over LAN in Dolphin and Firefox using ftp://192.168.0.10/
I have forwarded port 21 to 192.168.0.10 on my router, however when I try to access ftp://myinternetip/ it does not connect. I am faced with a loading icon for up to 10 mins in firefox before it times out and Dolphin just says it could not connect to the server after about 30 seconds.
I am able to access my owncloud successfully though. Any ideas?
FTP is an archaic protocol and one of my great hates.
We are used to every other protocol, http, smtp and so on, using just the one channel. This is not the case for FTP, it needs two channels, it separates out command and control.
Sadly the second channel/back channel is determined at run time.
<quote src="http://www.ncftp.com/ncftpd/doc/misc/ephemeral_ports.html"> Unless a client program explicitly requests a specific port number, the port number used is an ephemeral port number. Ephemeral ports are temporary ports assigned by a machine's IP stack, and are assigned from a designated range of ports for this purpose. </quote> Some smart FTP firewalls inspect the packet content to determine the data channel and set up a port opening for that.
There *are* ways to set up FTP with a fixed -- or predetermined -- channel assignment, they are well documented, but PLEASE do not take YouTube to be an authority in this matter! Please see the difference between "Active" and "Passive" FTP.
http://slacksite.com/other/ftp.html
Zeigler's book "Linux Firewalls" may be old, my copy has a copyright date of 2000, and is based on ipchains rather than iptables, but it is still authoritative about the principles. The second and later editions & revisions deal with iptables. Q.V. http://www.amazon.com/exec/obidos/ASIN/0735710996/
Later editions: http://www.amazon.com/Linux-Firewalls-Edition-Steve-Suehring/dp/0672327716 http://twitpic.com/clc8p0 http://digitalbooksonlinenow.com/Linux-Firewalls/p109957/?id=78
http://www.amazon.com/Linux-Firewalls-Edition-Steve-Suehring-ebook/dp/B000RH...
Also
http://www.amazon.com/Red-Linux-Firewalls-Bill-McCarty/dp/0764524631
-- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 15/11/14 a las 15:13, Paul Groves escribió:
I am able to access my owncloud successfully though. Any ideas?
Yes, Do not do that then :-).. there is no point dealing with FTP in this century.. try HTTP/HTTPS or SFTP instead. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (10)
-
Anton Aylward
-
Bernhard Voelker
-
Carlos E. R.
-
Cristian Rodríguez
-
James Knott
-
John Andersen
-
Lew Wolfgang
-
listreader
-
Paul Groves
-
Per Jessen