Mailinglist Archive: proxy-suite (12 mails)
| < Previous | Next > |
Re: [proxy-suite] Can't build data connection
- From: Marius Tomaschewski <mat@xxxxxxxxxxx>
- Date: Sun, 1 Sep 2002 19:36:10 +0000 (UTC)
- Message-id: <20020901193607.GA30675@xxxxxxxxxxx>
On Wed, Aug 28, 2002 at 04:49:47PM +0200, Emmanuel Halbwachs wrote:
> Hello everybody,
Hi!
OK, the port ranges are (see man 5 ftp-proxy.conf):
Client-Side:
ActiveMinDataPort
ActiveMaxDataPort
min/max local port when connecting to the client's data port;
the client's data port is the same as the client's control
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
port or the one given in the most recent PORT command.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If either minimum or maximum value is not given, the program
defaults to using port 20, the ftp-data port as per RFC 959.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PassiveMinDataPort
PassiveMaxDataPort
min/max local port number used when listening for the client's
data connection. This is the port number transmitted to the
client in a 227 response to the PASV command.
Server-Side:
DestinationMinPort
DestinationMaxPort
min/max local port number to be used when opening a connection
to the FTP server. Valid both for control and data connections.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You are right, there is a problem - but not realy with the proxy.
RFC 959 says:
"[...]
3.2. ESTABLISHING DATA CONNECTIONS
The mechanics of transferring data consists of setting up the data
connection to the appropriate ports and choosing the parameters
for transfer. Both the user and the server-DTPs have a default
data port. The user-process default data port is the same as the
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
control connection port (i.e., U). The server-process default
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^
data port is the port adjacent to the control connection port
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(i.e., L-1).
^^^^^^^^^^^
[...]
8. CONNECTION ESTABLISHMENT
The FTP control connection is established via TCP between the user
process port U and the server process port L. This protocol is
assigned the service port 21 (25 octal), that is L=21.
[...]"
As you see, the proxy follows the RFC. the picture of
the __default__ behavoir is:
- without any port ranges:
mode | ftp-client ftp-proxy ftp-server
ctrl | 35271 -> 21 | 33333 -> 21
data | 35271 <- 20 | 33333 <- 20
- while port ranges are used:
mode | ftp-client ftp-proxy ftp-server
ctrl | 35271 -> 21 | 42900 -> 21
data | 35271 <- 40000 | 42900 <- 20
As you see, it is allowed, that the _client_ uses it's
port number for both - ctrl and data connection.
The server should simply use a diferent port for data
than for the control connection.
In other words, the server shouldn't assume, the client
uses different port for ctrl and data connection.
But you are right - if there is a server that reuses
his ctrl port to data back-connects to clients, we
need an option to use an other range here :-)
But I mean, there is no server doing this, because it
has an already a bound socket to the ctrl port...
I'll add a DestinationDataMin/MaxPort option in later
releases that overrides DestinationMin/MaxPort...
BTW: take a look to the SockBindRand option as well.
> First of all, thank you to the developpers of ftp-proxy. I'm very
> happy that such a tool exists in open source.
>
> I am a new user of ftp-proxy and I am fighting with the problem
> (using an active mode client) :
>
> ftp> ls
> 200 PORT command successful.
> 425 Can't build data connection: Cannot assign requested address.
>
> or
>
> ftp> get foo.txt
> 200 PORT command successful.
> 425 Can't build data connection: Address already in use.
>
> I scratched my hair so often that I lost some, and now I have to ask
> some advices.
>
> Here is my context. It is very classic. My network is designed with
> two zones :
>
> - public zone with public IP address
> - private zone with private IP address
>
> A firewall (router) filters traffic between the two zones and the
> Internet.
>
> A ftp client in the private zone is not able to connect directly to a
> ftp server on the Internet, so I'd like to use ftp-proxy on one
> machine in the public zone. I want private client able to do download
> or upload from/to outside servers. Here is a piece of my poor ascii
> art :
>
> Private zone Public zone Router Internet
> ------------ ----------- ------ --------
> ftp client ----------> ftp proxy -------(filter)----> ftp server
>
> The ftp-proxy (version 1.8-2) is installed on an Debian box, with the
> configuration below :
>
> # ftp-proxy -c
> Config-File: '/etc/ftp-proxy.conf'
> Config-Section ------ '(-global-)'
> Config: ActiveMaxDataPort = '40999'
> Config: ActiveMinDataPort = '40000'
> Config: AllowMagicUser = 'yes'
> Config: AllowTransProxy = 'no'
> Config: DestinationMaxPort = '42999'
> Config: DestinationMinPort = '42900'
> Config: Group = 'ftpproxy'
> Config: LogDestination = 'daemon'
> Config: LogLevel = 'INF'
> Config: MaxClients = '64'
> Config: MaxClientsMessage =
> '/etc/proxy-suite/ftp-maxclients.txt'
> Config: MaxClientsString = 'The server is full'
> Config: PidFile = '/var/run/ftp-proxy.pid'
> Config: ServerType = 'standalone'
> Config: User = 'ftpproxy'
> Config: WelcomeMessage = '/etc/proxy-suite/ftp-welcome.txt'
> Config: WelcomeString = 'Welcome to the ftp proxy server on
> %h'
>
> In order to figure out what's happening, I tried a ftp session from a
> private client to a private server (so I can monitor both) via the
> proxy :
>
> Private zone Public zone Private zone
> ------------ ----------- ------------
> ftp client ----------> ftp proxy -----------> ftp server
>
> I observe the following behaviour :
>
> First, the proxy, has successfully established a control connexion to
> the server. Then, to established a data connexion, the proxy sends a
> PORT with the *same* port number that is already used. That's why, I
> suppose, the server tells the proxy via the control channel "Cannot
> assign requested address" or "Address already in use".
>
> Any advice ?
> Thanks in advance.
>
> Here is an exemple of wich port numbers are used :
>
> Client Proxy Server
> (10.5.0.4) (193.8.163.6) (any IP)
> ------- ------------------- ------
>
ctrl:
> 35271 -----> 21 - - - > 42900 -----> 21
data:
> 35271 <----- 21 < - - - 42900 <----- 21
^^^^^^^^^^^^^^^ ^^
NO, the proxy uses should be 20 here
port 20 or one from
active range.
> The control channel is initiated by the client, and so does the proxy
> with the server. No problem.
>
> 35272 <----- 40000
>
> The user do a "ls" or a "get", so the client sends to the proxy a
> PORT command : PORT 10,5,0,4,137,200 (35272). The proxy establishes
> the data connexion. No problem.
>
> 42900 <----- 20
^^^^^^^^^^^^^^^
If the server uses port 20 here, it should work as expected,
but if it uses port 21 for the data connection as well, it
will of course fail.
> The proxy sends to the server a PORT command :
> PORT 193,8,163,6,167,148 (42900). The server tries to establish
> the data connexion and fails : the port 42900 is already in use,
> by the control connexion.
>
> The server sends an error message to the proxy via the control
> channel, and the proxy sends it in turn to the client : "Can't build
> data connection"
>
> Strange, isn't it ? Or is it normal and have I missed something ?
> Any advice will help.
Please take a look again what happens there - does the server
really reuses port 21 for data back connects?
I mean, the server in your case cannot connect back to the
proxy because of any ip filters forbiding this...
Bye,
Marius.
--
° --- Marius Tomaschewski <mat@xxxxxxxxxxx>, Germany --- °
The number of UNIX installations has grown to 10, with
more expected.
- The Unix Programmer's Manual, 2nd Edition, June 1972
> Hello everybody,
Hi!
OK, the port ranges are (see man 5 ftp-proxy.conf):
Client-Side:
ActiveMinDataPort
ActiveMaxDataPort
min/max local port when connecting to the client's data port;
the client's data port is the same as the client's control
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
port or the one given in the most recent PORT command.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If either minimum or maximum value is not given, the program
defaults to using port 20, the ftp-data port as per RFC 959.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PassiveMinDataPort
PassiveMaxDataPort
min/max local port number used when listening for the client's
data connection. This is the port number transmitted to the
client in a 227 response to the PASV command.
Server-Side:
DestinationMinPort
DestinationMaxPort
min/max local port number to be used when opening a connection
to the FTP server. Valid both for control and data connections.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
You are right, there is a problem - but not realy with the proxy.
RFC 959 says:
"[...]
3.2. ESTABLISHING DATA CONNECTIONS
The mechanics of transferring data consists of setting up the data
connection to the appropriate ports and choosing the parameters
for transfer. Both the user and the server-DTPs have a default
data port. The user-process default data port is the same as the
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
control connection port (i.e., U). The server-process default
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^
data port is the port adjacent to the control connection port
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
(i.e., L-1).
^^^^^^^^^^^
[...]
8. CONNECTION ESTABLISHMENT
The FTP control connection is established via TCP between the user
process port U and the server process port L. This protocol is
assigned the service port 21 (25 octal), that is L=21.
[...]"
As you see, the proxy follows the RFC. the picture of
the __default__ behavoir is:
- without any port ranges:
mode | ftp-client ftp-proxy ftp-server
ctrl | 35271 -> 21 | 33333 -> 21
data | 35271 <- 20 | 33333 <- 20
- while port ranges are used:
mode | ftp-client ftp-proxy ftp-server
ctrl | 35271 -> 21 | 42900 -> 21
data | 35271 <- 40000 | 42900 <- 20
As you see, it is allowed, that the _client_ uses it's
port number for both - ctrl and data connection.
The server should simply use a diferent port for data
than for the control connection.
In other words, the server shouldn't assume, the client
uses different port for ctrl and data connection.
But you are right - if there is a server that reuses
his ctrl port to data back-connects to clients, we
need an option to use an other range here :-)
But I mean, there is no server doing this, because it
has an already a bound socket to the ctrl port...
I'll add a DestinationDataMin/MaxPort option in later
releases that overrides DestinationMin/MaxPort...
BTW: take a look to the SockBindRand option as well.
> First of all, thank you to the developpers of ftp-proxy. I'm very
> happy that such a tool exists in open source.
>
> I am a new user of ftp-proxy and I am fighting with the problem
> (using an active mode client) :
>
> ftp> ls
> 200 PORT command successful.
> 425 Can't build data connection: Cannot assign requested address.
>
> or
>
> ftp> get foo.txt
> 200 PORT command successful.
> 425 Can't build data connection: Address already in use.
>
> I scratched my hair so often that I lost some, and now I have to ask
> some advices.
>
> Here is my context. It is very classic. My network is designed with
> two zones :
>
> - public zone with public IP address
> - private zone with private IP address
>
> A firewall (router) filters traffic between the two zones and the
> Internet.
>
> A ftp client in the private zone is not able to connect directly to a
> ftp server on the Internet, so I'd like to use ftp-proxy on one
> machine in the public zone. I want private client able to do download
> or upload from/to outside servers. Here is a piece of my poor ascii
> art :
>
> Private zone Public zone Router Internet
> ------------ ----------- ------ --------
> ftp client ----------> ftp proxy -------(filter)----> ftp server
>
> The ftp-proxy (version 1.8-2) is installed on an Debian box, with the
> configuration below :
>
> # ftp-proxy -c
> Config-File: '/etc/ftp-proxy.conf'
> Config-Section ------ '(-global-)'
> Config: ActiveMaxDataPort = '40999'
> Config: ActiveMinDataPort = '40000'
> Config: AllowMagicUser = 'yes'
> Config: AllowTransProxy = 'no'
> Config: DestinationMaxPort = '42999'
> Config: DestinationMinPort = '42900'
> Config: Group = 'ftpproxy'
> Config: LogDestination = 'daemon'
> Config: LogLevel = 'INF'
> Config: MaxClients = '64'
> Config: MaxClientsMessage =
> '/etc/proxy-suite/ftp-maxclients.txt'
> Config: MaxClientsString = 'The server is full'
> Config: PidFile = '/var/run/ftp-proxy.pid'
> Config: ServerType = 'standalone'
> Config: User = 'ftpproxy'
> Config: WelcomeMessage = '/etc/proxy-suite/ftp-welcome.txt'
> Config: WelcomeString = 'Welcome to the ftp proxy server on
> %h'
>
> In order to figure out what's happening, I tried a ftp session from a
> private client to a private server (so I can monitor both) via the
> proxy :
>
> Private zone Public zone Private zone
> ------------ ----------- ------------
> ftp client ----------> ftp proxy -----------> ftp server
>
> I observe the following behaviour :
>
> First, the proxy, has successfully established a control connexion to
> the server. Then, to established a data connexion, the proxy sends a
> PORT with the *same* port number that is already used. That's why, I
> suppose, the server tells the proxy via the control channel "Cannot
> assign requested address" or "Address already in use".
>
> Any advice ?
> Thanks in advance.
>
> Here is an exemple of wich port numbers are used :
>
> Client Proxy Server
> (10.5.0.4) (193.8.163.6) (any IP)
> ------- ------------------- ------
>
ctrl:
> 35271 -----> 21 - - - > 42900 -----> 21
data:
> 35271 <----- 21 < - - - 42900 <----- 21
^^^^^^^^^^^^^^^ ^^
NO, the proxy uses should be 20 here
port 20 or one from
active range.
> The control channel is initiated by the client, and so does the proxy
> with the server. No problem.
>
> 35272 <----- 40000
>
> The user do a "ls" or a "get", so the client sends to the proxy a
> PORT command : PORT 10,5,0,4,137,200 (35272). The proxy establishes
> the data connexion. No problem.
>
> 42900 <----- 20
^^^^^^^^^^^^^^^
If the server uses port 20 here, it should work as expected,
but if it uses port 21 for the data connection as well, it
will of course fail.
> The proxy sends to the server a PORT command :
> PORT 193,8,163,6,167,148 (42900). The server tries to establish
> the data connexion and fails : the port 42900 is already in use,
> by the control connexion.
>
> The server sends an error message to the proxy via the control
> channel, and the proxy sends it in turn to the client : "Can't build
> data connection"
>
> Strange, isn't it ? Or is it normal and have I missed something ?
> Any advice will help.
Please take a look again what happens there - does the server
really reuses port 21 for data back connects?
I mean, the server in your case cannot connect back to the
proxy because of any ip filters forbiding this...
Bye,
Marius.
--
° --- Marius Tomaschewski <mat@xxxxxxxxxxx>, Germany --- °
The number of UNIX installations has grown to 10, with
more expected.
- The Unix Programmer's Manual, 2nd Edition, June 1972
| < Previous | Next > |