Hello everybody, First of all, thank you to the developpers of ftp-proxy. I'm very happy that such a tool exists in open source. I am a new user of ftp-proxy and I am fighting with the problem (using an active mode client) : ftp> ls 200 PORT command successful. 425 Can't build data connection: Cannot assign requested address. or ftp> get foo.txt 200 PORT command successful. 425 Can't build data connection: Address already in use. I scratched my hair so often that I lost some, and now I have to ask some advices. Here is my context. It is very classic. My network is designed with two zones : - public zone with public IP address - private zone with private IP address A firewall (router) filters traffic between the two zones and the Internet. A ftp client in the private zone is not able to connect directly to a ftp server on the Internet, so I'd like to use ftp-proxy on one machine in the public zone. I want private client able to do download or upload from/to outside servers. Here is a piece of my poor ascii art : Private zone Public zone Router Internet ------------ ----------- ------ -------- ftp client ----------> ftp proxy -------(filter)----> ftp server The ftp-proxy (version 1.8-2) is installed on an Debian box, with the configuration below : # ftp-proxy -c Config-File: '/etc/ftp-proxy.conf' Config-Section ------ '(-global-)' Config: ActiveMaxDataPort = '40999' Config: ActiveMinDataPort = '40000' Config: AllowMagicUser = 'yes' Config: AllowTransProxy = 'no' Config: DestinationMaxPort = '42999' Config: DestinationMinPort = '42900' Config: Group = 'ftpproxy' Config: LogDestination = 'daemon' Config: LogLevel = 'INF' Config: MaxClients = '64' Config: MaxClientsMessage = '/etc/proxy-suite/ftp-maxclients.txt' Config: MaxClientsString = 'The server is full' Config: PidFile = '/var/run/ftp-proxy.pid' Config: ServerType = 'standalone' Config: User = 'ftpproxy' Config: WelcomeMessage = '/etc/proxy-suite/ftp-welcome.txt' Config: WelcomeString = 'Welcome to the ftp proxy server on %h' In order to figure out what's happening, I tried a ftp session from a private client to a private server (so I can monitor both) via the proxy : Private zone Public zone Private zone ------------ ----------- ------------ ftp client ----------> ftp proxy -----------> ftp server I observe the following behaviour : First, the proxy, has successfully established a control connexion to the server. Then, to established a data connexion, the proxy sends a PORT with the *same* port number that is already used. That's why, I suppose, the server tells the proxy via the control channel "Cannot assign requested address" or "Address already in use". Any advice ? Thanks in advance. Here is an exemple of wich port numbers are used : Client Proxy Server (10.5.0.4) (193.8.163.6) (any IP) ------- ------------------- ------ 35271 -----> 21 - - - > 42900 -----> 21 35271 <----- 21 < - - - 42900 <----- 21 The control channel is initiated by the client, and so does the proxy with the server. No problem. 35272 <----- 40000 The user do a "ls" or a "get", so the client sends to the proxy a PORT command : PORT 10,5,0,4,137,200 (35272). The proxy establishes the data connexion. No problem. 42900 <----- 20 The proxy sends to the server a PORT command : PORT 193,8,163,6,167,148 (42900). The server tries to establish the data connexion and fails : the port 42900 is already in use, by the control connexion. The server sends an error message to the proxy via the control channel, and the proxy sends it in turn to the client : "Can't build data connection" Strange, isn't it ? Or is it normal and have I missed something ? Any advice will help. Friendly yours, -- Emmanuel Halbwachs Laboratoire de Photonique et Nanostructures tél : 01 69 63 61 34 CNRS UPR 20 fax : 01 69 63 60 06 Route de Nozay mailto:Emmanuel.Halbwachs@lpn.cnrs.fr 91460 Marcoussis
On Wed, Aug 28, 2002 at 04:49:47PM +0200, Emmanuel Halbwachs wrote:
Hello everybody,
Hi! OK, the port ranges are (see man 5 ftp-proxy.conf): Client-Side: ActiveMinDataPort ActiveMaxDataPort min/max local port when connecting to the client's data port; the client's data port is the same as the client's control ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ port or the one given in the most recent PORT command. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If either minimum or maximum value is not given, the program defaults to using port 20, the ftp-data port as per RFC 959. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ PassiveMinDataPort PassiveMaxDataPort min/max local port number used when listening for the client's data connection. This is the port number transmitted to the client in a 227 response to the PASV command. Server-Side: DestinationMinPort DestinationMaxPort min/max local port number to be used when opening a connection to the FTP server. Valid both for control and data connections. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ You are right, there is a problem - but not realy with the proxy. RFC 959 says: "[...] 3.2. ESTABLISHING DATA CONNECTIONS The mechanics of transferring data consists of setting up the data connection to the appropriate ports and choosing the parameters for transfer. Both the user and the server-DTPs have a default data port. The user-process default data port is the same as the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ control connection port (i.e., U). The server-process default ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^ data port is the port adjacent to the control connection port ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ (i.e., L-1). ^^^^^^^^^^^ [...] 8. CONNECTION ESTABLISHMENT The FTP control connection is established via TCP between the user process port U and the server process port L. This protocol is assigned the service port 21 (25 octal), that is L=21. [...]" As you see, the proxy follows the RFC. the picture of the __default__ behavoir is: - without any port ranges: mode | ftp-client ftp-proxy ftp-server ctrl | 35271 -> 21 | 33333 -> 21 data | 35271 <- 20 | 33333 <- 20 - while port ranges are used: mode | ftp-client ftp-proxy ftp-server ctrl | 35271 -> 21 | 42900 -> 21 data | 35271 <- 40000 | 42900 <- 20 As you see, it is allowed, that the _client_ uses it's port number for both - ctrl and data connection. The server should simply use a diferent port for data than for the control connection. In other words, the server shouldn't assume, the client uses different port for ctrl and data connection. But you are right - if there is a server that reuses his ctrl port to data back-connects to clients, we need an option to use an other range here :-) But I mean, there is no server doing this, because it has an already a bound socket to the ctrl port... I'll add a DestinationDataMin/MaxPort option in later releases that overrides DestinationMin/MaxPort... BTW: take a look to the SockBindRand option as well.
First of all, thank you to the developpers of ftp-proxy. I'm very happy that such a tool exists in open source.
I am a new user of ftp-proxy and I am fighting with the problem (using an active mode client) :
ftp> ls 200 PORT command successful. 425 Can't build data connection: Cannot assign requested address.
or
ftp> get foo.txt 200 PORT command successful. 425 Can't build data connection: Address already in use.
I scratched my hair so often that I lost some, and now I have to ask some advices.
Here is my context. It is very classic. My network is designed with two zones :
- public zone with public IP address - private zone with private IP address
A firewall (router) filters traffic between the two zones and the Internet.
A ftp client in the private zone is not able to connect directly to a ftp server on the Internet, so I'd like to use ftp-proxy on one machine in the public zone. I want private client able to do download or upload from/to outside servers. Here is a piece of my poor ascii art :
Private zone Public zone Router Internet ------------ ----------- ------ -------- ftp client ----------> ftp proxy -------(filter)----> ftp server
The ftp-proxy (version 1.8-2) is installed on an Debian box, with the configuration below :
# ftp-proxy -c Config-File: '/etc/ftp-proxy.conf' Config-Section ------ '(-global-)' Config: ActiveMaxDataPort = '40999' Config: ActiveMinDataPort = '40000' Config: AllowMagicUser = 'yes' Config: AllowTransProxy = 'no' Config: DestinationMaxPort = '42999' Config: DestinationMinPort = '42900' Config: Group = 'ftpproxy' Config: LogDestination = 'daemon' Config: LogLevel = 'INF' Config: MaxClients = '64' Config: MaxClientsMessage = '/etc/proxy-suite/ftp-maxclients.txt' Config: MaxClientsString = 'The server is full' Config: PidFile = '/var/run/ftp-proxy.pid' Config: ServerType = 'standalone' Config: User = 'ftpproxy' Config: WelcomeMessage = '/etc/proxy-suite/ftp-welcome.txt' Config: WelcomeString = 'Welcome to the ftp proxy server on %h'
In order to figure out what's happening, I tried a ftp session from a private client to a private server (so I can monitor both) via the proxy :
Private zone Public zone Private zone ------------ ----------- ------------ ftp client ----------> ftp proxy -----------> ftp server
I observe the following behaviour :
First, the proxy, has successfully established a control connexion to the server. Then, to established a data connexion, the proxy sends a PORT with the *same* port number that is already used. That's why, I suppose, the server tells the proxy via the control channel "Cannot assign requested address" or "Address already in use".
Any advice ? Thanks in advance.
Here is an exemple of wich port numbers are used :
Client Proxy Server (10.5.0.4) (193.8.163.6) (any IP) ------- ------------------- ------
ctrl:
35271 -----> 21 - - - > 42900 -----> 21
data:
35271 <----- 21 < - - - 42900 <----- 21 ^^^^^^^^^^^^^^^ ^^
NO, the proxy uses should be 20 here port 20 or one from active range.
The control channel is initiated by the client, and so does the proxy with the server. No problem.
35272 <----- 40000
The user do a "ls" or a "get", so the client sends to the proxy a PORT command : PORT 10,5,0,4,137,200 (35272). The proxy establishes the data connexion. No problem.
42900 <----- 20 ^^^^^^^^^^^^^^^
If the server uses port 20 here, it should work as expected, but if it uses port 21 for the data connection as well, it will of course fail.
The proxy sends to the server a PORT command : PORT 193,8,163,6,167,148 (42900). The server tries to establish the data connexion and fails : the port 42900 is already in use, by the control connexion.
The server sends an error message to the proxy via the control channel, and the proxy sends it in turn to the client : "Can't build data connection"
Strange, isn't it ? Or is it normal and have I missed something ? Any advice will help.
Please take a look again what happens there - does the server
really reuses port 21 for data back connects?
I mean, the server in your case cannot connect back to the
proxy because of any ip filters forbiding this...
Bye,
Marius.
--
° --- Marius Tomaschewski
Hi Marius, Marius Tomaschewski wrote:
OK, the port ranges are (see man 5 ftp-proxy.conf):
ActiveMinDataPort ActiveMaxDataPort min/max local port when connecting to the client's data port; the client's data port is the same as the client's control ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ port or the one given in the most recent PORT command. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If either minimum or maximum value is not given, the program defaults to using port 20, the ftp-data port as per RFC 959. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
DestinationMinPort DestinationMaxPort min/max local port number to be used when opening a connection to the FTP server. Valid both for control and data connections. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Well, even if I had RTFM, I should RTFM twice! Sorry, Marius.
Please take a look again what happens there - does the server really reuses port 21 for data back connects?
I mean, the server in your case cannot connect back to the proxy because of any ip filters forbiding this...
I don't think there is a problem with the router-filter, because in all my tests, the first data connection is well established but not the second. Here is a detailed example which I hope will state the problem clearly. Here is a tethereal capture on my proxy. It shows an internal (both client and server are in my private domain) ftp session via the proxy: client > proxy > server Note 1: All [SYN,ACK] and [ACK] have been removed for sake of clarity Note 2: Comments are boxed and placed *after* the packets they illustrate Note 3: Hostnames: lagaffe (client), prunelle (proxy), woodstock (server) ----------------------------------------------------------------- Source Dest Proto Info ----------------------------------------------------------------- client proxy TCP 36686 > ftp [SYN] Seq=1804161465 Ack=0 proxy client FTP Response: 220-Please note that all operations are logged. proxy client FTP Response: 220 Welcome to the ftp proxy server on prunelle. client proxy FTP Request: USER eh@server ----------------------------------------------------------------- Establishment of client-side control channel: mode | client proxy ctrl | 36686 > 21 Proxy banner sent via control channel. Client gives username. ----------------------------------------------------------------- proxy server TCP 42900 > ftp [SYN] Seq=3349587970 Ack=0 server proxy FTP Response: 220 woodstock FTP server (SunOS 5.8) ready. proxy server FTP Request: USER eh ----------------------------------------------------------------- Establishment of server-side control channel: mode | proxy server ctrl | 42900 > 21 Server banner sent via control channel. Client gives username. ----------------------------------------------------------------- server proxy FTP Response: 331 Password required for eh. proxy client FTP Response: 331 Password required for eh. client proxy FTP Request: PASS ******** proxy server FTP Request: PASS ******** server proxy FTP Response: 230 User eh logged in. proxy client FTP Response: 230 User eh logged in. ----------------------------------------------------------------- User authentification via control channels. ----------------------------------------------------------------- client proxy FTP Request: CWD tmp proxy server FTP Request: CWD tmp server proxy FTP Response: 250 CWD command successful. proxy client FTP Response: 250 CWD command successful. ----------------------------------------------------------------- Change dir command via control channels ----------------------------------------------------------------- client proxy FTP Request: PORT 10,5,0,4,143,79 proxy client FTP Response: 200 PORT command successful. client proxy FTP Request: NLST proxy client TCP 40000 > 36687 [SYN] Seq=3369754556 Ack=0 ----------------------------------------------------------------- User asks for directory list: client tells proxy to establish a data connection on client port 36687: mode | client proxy data | 36687 < 40000 ----------------------------------------------------------------- proxy server FTP Request: PORT 193,48,163,6,167,148 server proxy FTP Response: 200 PORT command successful. proxy server FTP Request: NLST server proxy TCP ftp-data > 42900 [SYN] Seq=2148422424 Ack=0 ----------------------------------------------------------------- In turn, proxy tells server to establish a data connection on proxy port 42900: mode | proxy server data | 42900 < 21 ----------------------------------------------------------------- server proxy FTP Response: 150 ASCII data connection for /bin/ls (193.48.163.6,42900) (0 bytes). proxy client FTP Response: 150 ASCII data connection for /bin/ls (193.48.163.6,42900) (0 bytes). server proxy FTP Response: 226 ASCII Transfer complete. server proxy FTP-DATA FTP Data: 1460 bytes proxy client TCP 40000 > 36687 [PSH, ACK] Seq=3369754557 Ack=1810026500 server proxy FTP-DATA FTP Data: 1460 bytes server proxy FTP-DATA FTP Data: 358 bytes server proxy TCP ftp-data > 42900 [FIN, ACK] Seq=2148425703 Ack=3364873942 proxy client TCP 40000 > 36687 [PSH, ACK] Seq=3369756005 Ack=1810026500 proxy server TCP 42900 > ftp-data [FIN, ACK] Seq=3364873942 Ack=2148425704 proxy client TCP 40000 > 36687 [FIN, PSH, ACK] Seq=3369757453 Ack=1810026500 client proxy TCP 36687 > 40000 [FIN, ACK] Seq=1810026500 Ack=3369757836 proxy client FTP Response: 226 ASCII Transfer complete. ----------------------------------------------------------------- Data are transfered via the data channels and messages are transfered via the control channels: mode | client proxy server ctrl | 36686 < 21 | 42900 < 21 data | 36687 < 40000 | 42900 < 20 ----------------------------------------------------------------- client proxy FTP Request: PORT 10,5,0,4,143,80 proxy client FTP Response: 200 PORT command successful. client proxy FTP Request: NLST toto.txt proxy server FTP Request: PORT 193,48,163,6,167,148 server proxy FTP Response: 200 PORT command successful. proxy client TCP 40000 > 36688 [SYN] Seq=3391575193 Ack=0 proxy server FTP Request: NLST toto.txt ----------------------------------------------------------------- User does a "mget toto.txt": client tells proxy to establish a data connection on client port 36688. In turn, proxy tells server to establish a data connection on proxy port 42900: mode | client proxy server ctrl | 36686 < 21 | 42900 < 21 data | 36688 < 40000 | 42900 < ? (not seen yet, should be 20) A NLST command is sent via the control channels. Proxy successfully establishes connection with client. ----------------------------------------------------------------- server proxy FTP Response: 425 Can't build data connection: Address already in use. proxy client FTP Response: 425 Can't build data connection: Address already in use. ----------------------------------------------------------------- Server sends to proxy an error message via control channel: "Can't build data connection: Address already in use". Proxy forwards it to client. ----------------------------------------------------------------- client proxy FTP Request: QUIT proxy client TCP 40000 > 36688 [FIN, ACK] Seq=3391575194 Ack=1814424051 proxy server FTP Request: QUIT proxy server TCP 42900 > ftp [FIN, ACK] Seq=3349588085 Ack=2144779629 server proxy FTP Response: 221 Goodbye. proxy client FTP Response: 221 Goodbye. proxy client TCP ftp > 36686 [FIN, ACK] Seq=3343791092 Ack=1804161590 client proxy TCP 36686 > ftp [FIN, ACK] Seq=1804161590 Ack=3343791093 client proxy TCP 36688 > 40000 [RST] Seq=1814424051 Ack=0 server proxy TCP ftp > 42900 [FIN, ACK] Seq=2144779643 Ack=3349588086 ----------------------------------------------------------------- User types "bye" and all connections are closed. ----------------------------------------------------------------- As you see, the first data connection for the first NLST is ok, but not the second. I someone has an advice, I will pay her/him a virtual coffee. Friendly yours, -- Emmanuel Halbwachs Laboratoire de Photonique et Nanostructures tel : (+33)1 69 63 61 34 CNRS UPR 20 fax : (+33)1 69 63 60 06 Route de Nozay mailto:Emmanuel.Halbwachs@lpn.cnrs.fr 91460 Marcoussis France
participants (2)
-
Emmanuel Halbwachs
-
Marius Tomaschewski