On Thu, Jun 21, 2001 at 02:17:40PM +0200, Alois Treindl wrote:
Hi
Hi!
I have a strange problem with ftp-proxy.
Client: Netscape 4.77 on Linux, behind a firewall which does not allow incoming port 21 connections.
Server: ftp-proxy connected to real server proftpd ftp-proxy configuration: DestinationAddress w1 DestinationPort 21 DestinationTransferMode passive Listen 0.0.0.0 LogDestination /var/log/ftp-proxy.log MaxClients 64 PassiveMinDataPort 41000 PassiveMaxDataPort 41999 ServerType standalone TimeOut 300 WelcomeString Welcome to ftp.astro.com
Symptom: accessing a directory which is a symbolic link to another directory on the ftp server fails.
This happens only with the Netscape client; ncftp in passive mode works. It happens only with ftp-proxy in between the server and the client; when I access an identically configured proftpd server on another machine, there is no problem.
The Netscape client does this access in a complicated way, when one clicks on the name of the directory: CMD=SIZE reply: 550 not a regular file CMD=MDTM reply: 550 not a plain file CMD=RETR reply: 550 not a regular file CMD=CWD reply: 250 successful CMD=LIST here the ftp-proxy tries to open a port 20 connection to client
For some reason, the proxy seems to start a connection at port 20 to the client, which it should not do in passive mode, and of course it fails at the client's filtering firewall.
No, it only does a _bind_ to port 20 and then connects using this _bound_ socket to the client. You are using active transfer there with the client, not passive; the proxy<->server communication is passive.
Here is the logfile (with -v 4)
Please use -v 2
From the ftp-proxy.debug file: ------------------------------ (important lines near bottom, see 'here comes the bug' or TECH-ERR) [...] 14:01:56 < 4679> gets Cli-Ctrl 0=192.53.104.46: 25 bytes 'SIZE /pub/swisseph/my_doc' 14:01:56 < 4679> from User-PI (0): cmd='SIZE' arg='/pub/swisseph/my_doc' 14:01:56 < 4679> printf Srv-Ctrl 4=10.1.1.1: 27 bytes 'SIZE /pub/swisseph/my_doc' 14:01:56 < 4679> alloc 51 (com-socket.c:688): 0x8060180 14:01:56 < 4679> USER-INF 'SIZE /pub/swisseph/my_doc' from 192.53.104.46 14:01:56 < 4679> FD_SET Cli-Data for R 14:01:56 < 4679> FD_SET Srv-Ctrl for W 14:01:56 < 4679> FD_SET Srv-Ctrl for R 14:01:56 < 4679> FD_SET Cli-Ctrl for R 14:01:56 < 4679> free 0x8060180 (com-socket.c:1046) 14:01:56 < 4679> ll_write Srv-Ctrl 4=10.1.1.1: 27 bytes 14:01:56 < 4679> client-loop ... 14:01:56 < 4679> FD_SET Cli-Data for R 14:01:56 < 4679> FD_SET Srv-Ctrl for R 14:01:56 < 4679> FD_SET Cli-Ctrl for R 14:01:56 < 4679> alloc 71 (com-socket.c:956): 0x8060180 14:01:56 < 4679> ll_read Srv-Ctrl 4=10.1.1.1: 47 bytes 14:01:56 < 4679> client-loop ... 14:01:56 < 4679> free 0x8060180 (com-socket.c:538) 14:01:56 < 4679> gets Srv-Ctrl 4=10.1.1.1: 45 bytes '550 /pub/swisseph/my_doc: not a regular file.' 14:01:56 < 4679> from Server-PI (4): '550 /pub/swisseph/my_doc: not a regular file.' 14:01:56 < 4679> printf Cli-Ctrl 0=192.53.104.46: 47 bytes '550 /pub/swisseph/my_doc: not a regular file.'
The ftp-server refuses to SIZE a link, that's all.
14:01:56 < 4679> gets Cli-Ctrl 0=192.53.104.46: 25 bytes 'MDTM /pub/swisseph/my_doc' 14:01:56 < 4679> from User-PI (0): cmd='MDTM' arg='/pub/swisseph/my_doc' 14:01:56 < 4679> printf Srv-Ctrl 4=10.1.1.1: 27 bytes 'MDTM /pub/swisseph/my_doc' 14:01:56 < 4679> alloc 51 (com-socket.c:688): 0x8060180 14:01:56 < 4679> USER-INF 'MDTM /pub/swisseph/my_doc' from 192.53.104.46 14:01:56 < 4679> FD_SET Cli-Data for R 14:01:56 < 4679> FD_SET Srv-Ctrl for W 14:01:56 < 4679> FD_SET Srv-Ctrl for R 14:01:56 < 4679> FD_SET Cli-Ctrl for R 14:01:56 < 4679> free 0x8060180 (com-socket.c:1046) 14:01:56 < 4679> ll_write Srv-Ctrl 4=10.1.1.1: 27 bytes 14:01:56 < 4679> client-loop ... 14:01:56 < 4679> FD_SET Cli-Data for R 14:01:56 < 4679> FD_SET Srv-Ctrl for R 14:01:56 < 4679> FD_SET Cli-Ctrl for R 14:01:56 < 4679> alloc 69 (com-socket.c:956): 0x8060180 14:01:56 < 4679> ll_read Srv-Ctrl 4=10.1.1.1: 45 bytes 14:01:56 < 4679> client-loop ... 14:01:56 < 4679> free 0x8060180 (com-socket.c:538) 14:01:56 < 4679> gets Srv-Ctrl 4=10.1.1.1: 43 bytes '550 /pub/swisseph/my_doc: not a plain file.' 14:01:56 < 4679> from Server-PI (4): '550 /pub/swisseph/my_doc: not a plain file.' 14:01:56 < 4679> printf Cli-Ctrl 0=192.53.104.46: 45 bytes '550 /pub/swisseph/my_doc: not a plain file.'
The ftp-server refuses to get MDTM of a link.
14:01:57 < 4679> gets Cli-Ctrl 0=192.53.104.46: 25 bytes 'RETR /pub/swisseph/my_doc' 14:01:57 < 4679> from User-PI (0): cmd='RETR' arg='/pub/swisseph/my_doc' 14:01:57 < 4679> USER-INF 'RETR /pub/swisseph/my_doc' from 192.53.104.46 14:01:57 < 4679> printf Srv-Ctrl 4=10.1.1.1: 6 bytes 'PASV' 14:01:57 < 4679> alloc 30 (com-socket.c:688): 0x8060180 14:01:57 < 4679> FD_SET Cli-Data for R 14:01:57 < 4679> FD_SET Srv-Ctrl for W 14:01:57 < 4679> FD_SET Srv-Ctrl for R 14:01:57 < 4679> FD_SET Cli-Ctrl for R 14:01:57 < 4679> free 0x8060180 (com-socket.c:1046) 14:01:57 < 4679> ll_write Srv-Ctrl 4=10.1.1.1: 6 bytes 14:01:57 < 4679> client-loop ... 14:01:57 < 4679> FD_SET Cli-Data for R 14:01:57 < 4679> FD_SET Srv-Ctrl for R 14:01:57 < 4679> FD_SET Cli-Ctrl for R 14:01:57 < 4679> alloc 70 (com-socket.c:956): 0x8060180 14:01:57 < 4679> ll_read Srv-Ctrl 4=10.1.1.1: 46 bytes 14:01:57 < 4679> client-loop ... 14:01:57 < 4679> free 0x8060180 (com-socket.c:538) 14:01:57 < 4679> gets Srv-Ctrl 4=10.1.1.1: 44 bytes '227 Entering Passive Mode (10,1,1,1,212,43).' 14:01:57 < 4679> from Server-PI (4): '227 Entering Passive Mode (10,1,1,1,212,43).' 14:01:57 < 4679> alloc 68 (com-socket.c:327): 0x8060180 14:01:57 < 4679> created HLS for 5=10.1.1.1:54315 14:01:57 < 4679> connect: Srv-Data fd=5 14:01:57 < 4679> printf Srv-Ctrl 4=10.1.1.1: 27 bytes 'RETR /pub/swisseph/my_doc' 14:01:57 < 4679> alloc 51 (com-socket.c:688): 0x80601c8 14:01:57 < 4679> TECH-INF 'RETR /pub/swisseph/my_doc' sent for 192.53.104.46 14:01:57 < 4679> FD_SET Srv-Data for R 14:01:57 < 4679> FD_SET Cli-Data for R 14:01:57 < 4679> FD_SET Srv-Ctrl for W 14:01:57 < 4679> FD_SET Srv-Ctrl for R 14:01:57 < 4679> FD_SET Cli-Ctrl for R 14:01:57 < 4679> free 0x80601c8 (com-socket.c:1046) 14:01:57 < 4679> ll_write Srv-Ctrl 4=10.1.1.1: 27 bytes 14:01:57 < 4679> client-loop ... 14:01:57 < 4679> FD_SET Srv-Data for R 14:01:57 < 4679> FD_SET Cli-Data for R 14:01:57 < 4679> FD_SET Srv-Ctrl for R 14:01:57 < 4679> FD_SET Cli-Ctrl for R 14:01:57 < 4679> alloc 70 (com-socket.c:956): 0x80601c8 14:01:57 < 4679> ll_read Srv-Ctrl 4=10.1.1.1: 46 bytes 14:01:57 < 4679> client-loop ... 14:01:57 < 4679> free 0x80601c8 (com-socket.c:538) 14:01:57 < 4679> gets Srv-Ctrl 4=10.1.1.1: 44 bytes '550 /pub/swisseph/my_doc: Not a regular file' 14:01:57 < 4679> from Server-PI (4): '550 /pub/swisseph/my_doc: Not a regular file' 14:01:57 < 4679> printf Cli-Ctrl 0=192.53.104.46: 46 bytes '550 /pub/swisseph/my_doc: Not a regular file'
and here the ftp-server refuses to RETR a link. what has this to do with the proxy? is is a ftp-server issue.
14:01:57 < 4679> gets Cli-Ctrl 0=192.53.104.46: 4 bytes 'LIST' 14:01:57 < 4679> from User-PI (0): cmd='LIST' arg='' 14:01:57 < 4679> USER-INF 'LIST' from 192.53.104.46 14:01:57 < 4679> printf Srv-Ctrl 4=10.1.1.1: 6 bytes 'PASV' 14:01:57 < 4679> alloc 30 (com-socket.c:688): 0x80601c8 14:01:57 < 4679> FD_SET Srv-Data for R 14:01:57 < 4679> FD_SET Cli-Data for R 14:01:57 < 4679> FD_SET Srv-Ctrl for W 14:01:57 < 4679> FD_SET Srv-Ctrl for R 14:01:57 < 4679> FD_SET Cli-Ctrl for R 14:01:57 < 4679> free 0x80601c8 (com-socket.c:1046) 14:01:57 < 4679> ll_write Srv-Ctrl 4=10.1.1.1: 6 bytes 14:01:57 < 4679> client-loop ... 14:01:57 < 4679> FD_SET Srv-Data for R 14:01:57 < 4679> FD_SET Cli-Data for R 14:01:57 < 4679> FD_SET Srv-Ctrl for R 14:01:57 < 4679> FD_SET Cli-Ctrl for R 14:01:57 < 4679> closed: Srv-Data -1=10.1.1.1 14:01:57 < 4679> client-loop ... 14:01:57 < 4679> about to destroy Srv-Data 14:01:57 < 4679> deleting HLS Srv-Data -1=10.1.1.1:54315 14:01:57 < 4679> free 0x8060180 (com-socket.c:473) 14:01:57 < 4679> FD_CLR Cli-Data 14:01:57 < 4679> client-loop ... 14:01:57 < 4679> about to destroy Cli-Data 14:01:57 < 4679> USER-INF Transfer for 192.53.104.46: LIST '' 1 sec 14:01:57 < 4679> deleting HLS Cli-Data -1=192.53.104.46:4421 14:01:57 < 4679> free 0x805f770 (com-socket.c:473) 14:01:57 < 4679> FD_SET Srv-Ctrl for R 14:01:57 < 4679> FD_SET Cli-Ctrl for R 14:01:57 < 4679> alloc 70 (com-socket.c:956): 0x805f770 14:01:57 < 4679> ll_read Srv-Ctrl 4=10.1.1.1: 46 bytes 14:01:57 < 4679> client-loop ... 14:01:57 < 4679> free 0x805f770 (com-socket.c:538) 14:01:57 < 4679> gets Srv-Ctrl 4=10.1.1.1: 44 bytes '227 Entering Passive Mode (10,1,1,1,212,44).' 14:01:57 < 4679> from Server-PI (4): '227 Entering Passive Mode (10,1,1,1,212,44).' 14:01:57 < 4679> alloc 68 (com-socket.c:327): 0x805f770 14:01:57 < 4679> created HLS for 5=10.1.1.1:54316 **** here comes the bug 14:01:57 < 4679> connect: Srv-Data fd=5 14:01:57 < 4679> try to con-bind Cli-Data to 195.49.62.59:20 14:01:57 < 4679> TECH-ERR can't connect Cli-Data for 192.53.104.46 (errno=113 [No route to host]) 14:01:57 < 4679> printf Cli-Ctrl 0=192.53.104.46: 33 bytes '425 Can't open data connection.'
this is same as in the other mail - do not use transparent
proxying or update to 1.7tp7 and set Listen IP.
the problem in transparent mode is, getsockname returns the IP
of the ftp-server the client wantet to connect to instead of
the IP of the proxy and if no Listen is set, the proxy uses
this IP to bind the socket to before it connects the client.
in simply words, the proxy is spoofing the client.
Kind regards,
Marius Tomaschewski