Mailinglist Archive: proxy-suite (12 mails)
| < Previous | Next > |
Re: [proxy-suite] Can't build data connection
- From: Emmanuel Halbwachs <Emmanuel.Halbwachs@xxxxxxxxxxx>
- Date: Fri, 6 Sep 2002 15:52:06 +0000 (UTC)
- Message-id: <3D78CF20.C6FDB5F5@xxxxxxxxxxx>
Hi Marius,
Marius Tomaschewski wrote:
> OK, the port ranges are (see man 5 ftp-proxy.conf):
>
> ActiveMinDataPort
> ActiveMaxDataPort
> min/max local port when connecting to the client's data port;
> the client's data port is the same as the client's control
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> port or the one given in the most recent PORT command.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> If either minimum or maximum value is not given, the program
> defaults to using port 20, the ftp-data port as per RFC 959.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> DestinationMinPort
> DestinationMaxPort
> min/max local port number to be used when opening a connection
> to the FTP server. Valid both for control and data connections.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Well, even if I had RTFM, I should RTFM twice!
Sorry, Marius.
> Please take a look again what happens there - does the server
> really reuses port 21 for data back connects?
>
> I mean, the server in your case cannot connect back to the
> proxy because of any ip filters forbiding this...
I don't think there is a problem with the router-filter, because
in all my tests, the first data connection is well established
but not the second.
Here is a detailed example which I hope will state the problem
clearly.
Here is a tethereal capture on my proxy. It shows an internal (both
client and server are in my private domain) ftp session via the proxy:
client > proxy > server
Note 1: All [SYN,ACK] and [ACK] have been removed for sake of
clarity
Note 2: Comments are boxed and placed *after* the packets they
illustrate
Note 3: Hostnames: lagaffe (client), prunelle (proxy), woodstock
(server)
-----------------------------------------------------------------
Source Dest Proto Info
-----------------------------------------------------------------
client proxy TCP 36686 > ftp [SYN] Seq=1804161465 Ack=0
proxy client FTP Response: 220-Please note that all
operations are logged.
proxy client FTP Response: 220 Welcome to the ftp proxy
server on prunelle.
client proxy FTP Request: USER eh@server
-----------------------------------------------------------------
Establishment of client-side control channel:
mode | client proxy
ctrl | 36686 > 21
Proxy banner sent via control channel.
Client gives username.
-----------------------------------------------------------------
proxy server TCP 42900 > ftp [SYN] Seq=3349587970 Ack=0
server proxy FTP Response: 220 woodstock FTP server
(SunOS 5.8) ready.
proxy server FTP Request: USER eh
-----------------------------------------------------------------
Establishment of server-side control channel:
mode | proxy server
ctrl | 42900 > 21
Server banner sent via control channel.
Client gives username.
-----------------------------------------------------------------
server proxy FTP Response: 331 Password required for eh.
proxy client FTP Response: 331 Password required for eh.
client proxy FTP Request: PASS ********
proxy server FTP Request: PASS ********
server proxy FTP Response: 230 User eh logged in.
proxy client FTP Response: 230 User eh logged in.
-----------------------------------------------------------------
User authentification via control channels.
-----------------------------------------------------------------
client proxy FTP Request: CWD tmp
proxy server FTP Request: CWD tmp
server proxy FTP Response: 250 CWD command successful.
proxy client FTP Response: 250 CWD command successful.
-----------------------------------------------------------------
Change dir command via control channels
-----------------------------------------------------------------
client proxy FTP Request: PORT 10,5,0,4,143,79
proxy client FTP Response: 200 PORT command successful.
client proxy FTP Request: NLST
proxy client TCP 40000 > 36687 [SYN] Seq=3369754556 Ack=0
-----------------------------------------------------------------
User asks for directory list: client tells proxy to establish
a data connection on client port 36687:
mode | client proxy
data | 36687 < 40000
-----------------------------------------------------------------
proxy server FTP Request: PORT 193,48,163,6,167,148
server proxy FTP Response: 200 PORT command successful.
proxy server FTP Request: NLST
server proxy TCP ftp-data > 42900 [SYN] Seq=2148422424 Ack=0
-----------------------------------------------------------------
In turn, proxy tells server to establish a data connection on proxy
port 42900:
mode | proxy server
data | 42900 < 21
-----------------------------------------------------------------
server proxy FTP Response: 150 ASCII data connection for
/bin/ls (193.48.163.6,42900) (0 bytes).
proxy client FTP Response: 150 ASCII data connection for
/bin/ls (193.48.163.6,42900) (0 bytes).
server proxy FTP Response: 226 ASCII Transfer complete.
server proxy FTP-DATA FTP Data: 1460 bytes
proxy client TCP 40000 > 36687 [PSH, ACK] Seq=3369754557
Ack=1810026500
server proxy FTP-DATA FTP Data: 1460 bytes
server proxy FTP-DATA FTP Data: 358 bytes
server proxy TCP ftp-data > 42900 [FIN, ACK] Seq=2148425703
Ack=3364873942
proxy client TCP 40000 > 36687 [PSH, ACK] Seq=3369756005
Ack=1810026500
proxy server TCP 42900 > ftp-data [FIN, ACK] Seq=3364873942
Ack=2148425704
proxy client TCP 40000 > 36687 [FIN, PSH, ACK] Seq=3369757453
Ack=1810026500
client proxy TCP 36687 > 40000 [FIN, ACK] Seq=1810026500
Ack=3369757836
proxy client FTP Response: 226 ASCII Transfer complete.
-----------------------------------------------------------------
Data are transfered via the data channels and messages are
transfered via the control channels:
mode | client proxy server
ctrl | 36686 < 21 | 42900 < 21
data | 36687 < 40000 | 42900 < 20
-----------------------------------------------------------------
client proxy FTP Request: PORT 10,5,0,4,143,80
proxy client FTP Response: 200 PORT command successful.
client proxy FTP Request: NLST toto.txt
proxy server FTP Request: PORT 193,48,163,6,167,148
server proxy FTP Response: 200 PORT command successful.
proxy client TCP 40000 > 36688 [SYN] Seq=3391575193 Ack=0
proxy server FTP Request: NLST toto.txt
-----------------------------------------------------------------
User does a "mget toto.txt": client tells proxy to establish a data
connection on client port 36688. In turn, proxy tells server to
establish a data connection on proxy port 42900:
mode | client proxy server
ctrl | 36686 < 21 | 42900 < 21
data | 36688 < 40000 | 42900 < ? (not seen yet, should be 20)
A NLST command is sent via the control channels.
Proxy successfully establishes connection with client.
-----------------------------------------------------------------
server proxy FTP Response: 425 Can't build data connection:
Address already in use.
proxy client FTP Response: 425 Can't build data connection:
Address already in use.
-----------------------------------------------------------------
Server sends to proxy an error message via control channel:
"Can't build data connection: Address already in use". Proxy
forwards it to client.
-----------------------------------------------------------------
client proxy FTP Request: QUIT
proxy client TCP 40000 > 36688 [FIN, ACK] Seq=3391575194
Ack=1814424051
proxy server FTP Request: QUIT
proxy server TCP 42900 > ftp [FIN, ACK] Seq=3349588085
Ack=2144779629
server proxy FTP Response: 221 Goodbye.
proxy client FTP Response: 221 Goodbye.
proxy client TCP ftp > 36686 [FIN, ACK] Seq=3343791092
Ack=1804161590
client proxy TCP 36686 > ftp [FIN, ACK] Seq=1804161590
Ack=3343791093
client proxy TCP 36688 > 40000 [RST] Seq=1814424051 Ack=0
server proxy TCP ftp > 42900 [FIN, ACK] Seq=2144779643
Ack=3349588086
-----------------------------------------------------------------
User types "bye" and all connections are closed.
-----------------------------------------------------------------
As you see, the first data connection for the first NLST is ok,
but not the second.
I someone has an advice, I will pay her/him a virtual coffee.
Friendly yours,
--
Emmanuel Halbwachs Laboratoire de Photonique et Nanostructures
tel : (+33)1 69 63 61 34 CNRS UPR 20
fax : (+33)1 69 63 60 06 Route de Nozay
mailto:Emmanuel.Halbwachs@xxxxxxxxxxx 91460 Marcoussis France
Marius Tomaschewski wrote:
> OK, the port ranges are (see man 5 ftp-proxy.conf):
>
> ActiveMinDataPort
> ActiveMaxDataPort
> min/max local port when connecting to the client's data port;
> the client's data port is the same as the client's control
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> port or the one given in the most recent PORT command.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> If either minimum or maximum value is not given, the program
> defaults to using port 20, the ftp-data port as per RFC 959.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> DestinationMinPort
> DestinationMaxPort
> min/max local port number to be used when opening a connection
> to the FTP server. Valid both for control and data connections.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Well, even if I had RTFM, I should RTFM twice!
Sorry, Marius.
> Please take a look again what happens there - does the server
> really reuses port 21 for data back connects?
>
> I mean, the server in your case cannot connect back to the
> proxy because of any ip filters forbiding this...
I don't think there is a problem with the router-filter, because
in all my tests, the first data connection is well established
but not the second.
Here is a detailed example which I hope will state the problem
clearly.
Here is a tethereal capture on my proxy. It shows an internal (both
client and server are in my private domain) ftp session via the proxy:
client > proxy > server
Note 1: All [SYN,ACK] and [ACK] have been removed for sake of
clarity
Note 2: Comments are boxed and placed *after* the packets they
illustrate
Note 3: Hostnames: lagaffe (client), prunelle (proxy), woodstock
(server)
-----------------------------------------------------------------
Source Dest Proto Info
-----------------------------------------------------------------
client proxy TCP 36686 > ftp [SYN] Seq=1804161465 Ack=0
proxy client FTP Response: 220-Please note that all
operations are logged.
proxy client FTP Response: 220 Welcome to the ftp proxy
server on prunelle.
client proxy FTP Request: USER eh@server
-----------------------------------------------------------------
Establishment of client-side control channel:
mode | client proxy
ctrl | 36686 > 21
Proxy banner sent via control channel.
Client gives username.
-----------------------------------------------------------------
proxy server TCP 42900 > ftp [SYN] Seq=3349587970 Ack=0
server proxy FTP Response: 220 woodstock FTP server
(SunOS 5.8) ready.
proxy server FTP Request: USER eh
-----------------------------------------------------------------
Establishment of server-side control channel:
mode | proxy server
ctrl | 42900 > 21
Server banner sent via control channel.
Client gives username.
-----------------------------------------------------------------
server proxy FTP Response: 331 Password required for eh.
proxy client FTP Response: 331 Password required for eh.
client proxy FTP Request: PASS ********
proxy server FTP Request: PASS ********
server proxy FTP Response: 230 User eh logged in.
proxy client FTP Response: 230 User eh logged in.
-----------------------------------------------------------------
User authentification via control channels.
-----------------------------------------------------------------
client proxy FTP Request: CWD tmp
proxy server FTP Request: CWD tmp
server proxy FTP Response: 250 CWD command successful.
proxy client FTP Response: 250 CWD command successful.
-----------------------------------------------------------------
Change dir command via control channels
-----------------------------------------------------------------
client proxy FTP Request: PORT 10,5,0,4,143,79
proxy client FTP Response: 200 PORT command successful.
client proxy FTP Request: NLST
proxy client TCP 40000 > 36687 [SYN] Seq=3369754556 Ack=0
-----------------------------------------------------------------
User asks for directory list: client tells proxy to establish
a data connection on client port 36687:
mode | client proxy
data | 36687 < 40000
-----------------------------------------------------------------
proxy server FTP Request: PORT 193,48,163,6,167,148
server proxy FTP Response: 200 PORT command successful.
proxy server FTP Request: NLST
server proxy TCP ftp-data > 42900 [SYN] Seq=2148422424 Ack=0
-----------------------------------------------------------------
In turn, proxy tells server to establish a data connection on proxy
port 42900:
mode | proxy server
data | 42900 < 21
-----------------------------------------------------------------
server proxy FTP Response: 150 ASCII data connection for
/bin/ls (193.48.163.6,42900) (0 bytes).
proxy client FTP Response: 150 ASCII data connection for
/bin/ls (193.48.163.6,42900) (0 bytes).
server proxy FTP Response: 226 ASCII Transfer complete.
server proxy FTP-DATA FTP Data: 1460 bytes
proxy client TCP 40000 > 36687 [PSH, ACK] Seq=3369754557
Ack=1810026500
server proxy FTP-DATA FTP Data: 1460 bytes
server proxy FTP-DATA FTP Data: 358 bytes
server proxy TCP ftp-data > 42900 [FIN, ACK] Seq=2148425703
Ack=3364873942
proxy client TCP 40000 > 36687 [PSH, ACK] Seq=3369756005
Ack=1810026500
proxy server TCP 42900 > ftp-data [FIN, ACK] Seq=3364873942
Ack=2148425704
proxy client TCP 40000 > 36687 [FIN, PSH, ACK] Seq=3369757453
Ack=1810026500
client proxy TCP 36687 > 40000 [FIN, ACK] Seq=1810026500
Ack=3369757836
proxy client FTP Response: 226 ASCII Transfer complete.
-----------------------------------------------------------------
Data are transfered via the data channels and messages are
transfered via the control channels:
mode | client proxy server
ctrl | 36686 < 21 | 42900 < 21
data | 36687 < 40000 | 42900 < 20
-----------------------------------------------------------------
client proxy FTP Request: PORT 10,5,0,4,143,80
proxy client FTP Response: 200 PORT command successful.
client proxy FTP Request: NLST toto.txt
proxy server FTP Request: PORT 193,48,163,6,167,148
server proxy FTP Response: 200 PORT command successful.
proxy client TCP 40000 > 36688 [SYN] Seq=3391575193 Ack=0
proxy server FTP Request: NLST toto.txt
-----------------------------------------------------------------
User does a "mget toto.txt": client tells proxy to establish a data
connection on client port 36688. In turn, proxy tells server to
establish a data connection on proxy port 42900:
mode | client proxy server
ctrl | 36686 < 21 | 42900 < 21
data | 36688 < 40000 | 42900 < ? (not seen yet, should be 20)
A NLST command is sent via the control channels.
Proxy successfully establishes connection with client.
-----------------------------------------------------------------
server proxy FTP Response: 425 Can't build data connection:
Address already in use.
proxy client FTP Response: 425 Can't build data connection:
Address already in use.
-----------------------------------------------------------------
Server sends to proxy an error message via control channel:
"Can't build data connection: Address already in use". Proxy
forwards it to client.
-----------------------------------------------------------------
client proxy FTP Request: QUIT
proxy client TCP 40000 > 36688 [FIN, ACK] Seq=3391575194
Ack=1814424051
proxy server FTP Request: QUIT
proxy server TCP 42900 > ftp [FIN, ACK] Seq=3349588085
Ack=2144779629
server proxy FTP Response: 221 Goodbye.
proxy client FTP Response: 221 Goodbye.
proxy client TCP ftp > 36686 [FIN, ACK] Seq=3343791092
Ack=1804161590
client proxy TCP 36686 > ftp [FIN, ACK] Seq=1804161590
Ack=3343791093
client proxy TCP 36688 > 40000 [RST] Seq=1814424051 Ack=0
server proxy TCP ftp > 42900 [FIN, ACK] Seq=2144779643
Ack=3349588086
-----------------------------------------------------------------
User types "bye" and all connections are closed.
-----------------------------------------------------------------
As you see, the first data connection for the first NLST is ok,
but not the second.
I someone has an advice, I will pay her/him a virtual coffee.
Friendly yours,
--
Emmanuel Halbwachs Laboratoire de Photonique et Nanostructures
tel : (+33)1 69 63 61 34 CNRS UPR 20
fax : (+33)1 69 63 60 06 Route de Nozay
mailto:Emmanuel.Halbwachs@xxxxxxxxxxx 91460 Marcoussis France
| < Previous | Next > |