Re: how to set ports for ip_conntrack_ftp

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jonas Meurer <jonas@freesources.org>
To: netfilter@lists.netfilter.org
Subject: Re: how to set ports for ip_conntrack_ftp
Date: Sat, 2 Sep 2006 16:27:13 +0200	[thread overview]
Message-ID: <20060902142712.GA31352@freesources.org> (raw)
In-Reply-To: <44F7996C.9010504@plouf.fr.eu.org>

On 01/09/2006 Pascal Hambourg wrote:
> Jonas Meurer a écrit :
> >>
> >>What do the "-d **.**.***.**/31" address ranges represent ?
> >
> >it is 62.75.128.98/31, which should be 62.75.128.98 and 62.75.128.99.
> 
> Actually I did not ask for their exact values but their meaning 
> network-wise. Because usually, when there is "-d <range>" in an INPUT 
> rule there is "-s <range>" in its OUTPUT counterpart or vice versa, but 
> both your INPUT and OUTPUT rule contain the same "-d <range>". So I was 
> wondering. Are these the client and server addresses ?

the ftp servers listen on both ips. so both are server addresses.

do you think that i should change the "-d ..." at -A OUTPUT to "-s ..."?

> >let's say, ftp-servers are on port 9621 and 9721. then i need to open
> >9620 and 9720 as well for ftp, correct?
> 
> Yes. But I repeat that opening 9620 and 9720 is effective for active 
> mode only. Passive mode won't work.

i would like to support both active and passive mode.

> >after using exactly these commands, i'm still not able to connect to the
> >ftp-servers.
> >
> >if i try to login with lftp, it says [Connecting...], then
> >[FEAT negotation...] and then it hangs forever at
> >[Making data connection...].
> 
> This indicates that the control connection succeeds but the data 
> connection fails. Maybe lftp uses passive mode for the data connections 
> by default, then you have to disable it with "set ftp:passive-mode off" 
> so lftp uses active mode instead. You can also use the "debug" command 
> in lftp to get a more verbose output.

even with "set ftp:passive-mode off" it doesn't work:

user@home~$ lftp user@62.75.128.98:9621
lftp user@62.75.128.98:/> debug

lftp user@62.75.128.98:/> set ftp:passive-mode on

lftp user@62.75.128.98:/> ls
---> PASV
<--- 227 Entering Passive Mode (62,75,128,98,180,236)
---- Connecting data socket to (62.75.128.98) port 46316
`ls' at 0 [Making data connection...]

lftp user@62.75.128.98:/> set ftp:passive-mode off

lftp user@62.75.128.98:/> ls

---- Connecting to 62.75.128.98 (62.75.128.98) port 9621
<--- 220 diana50 FTP server (Medusa Async V1.23 [experimental]) ready.
---> FEAT
<--- 530 Please log in with USER and PASS
---> AUTH TLS
<--- 500 'AUTH': command not understood.
---> USER user
<--- 331 Password required.
---> PASS XXXX
<--- 230 Login successful.
---> FEAT
<--- 211-Extensions supported:
<---  MDTM
<---  SIZE
<--- 211 END
---> PORT 192,168,3,34,197,115
<--- 200 PORT command successful.
---> LIST
<--- 150 Opening ASCII mode data connection for file list
<--- 426 Connection closed; transfer aborted
---- Closing data socket

any further suggestions?

...
 jonas

next prev parent reply	other threads:[~2006-09-02 14:27 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-08-31 15:11 how to set ports for ip_conntrack_ftp Jonas Meurer
     [not found] ` <000601c6cd14$e07a28a0$0101000a@tanjian>
2006-08-31 15:57   ` 'Jonas Meurer'
2006-08-31 16:28     ` Rob Sterenborg
2006-09-01  7:24       ` Jan Engelhardt
2006-08-31 16:44     ` Pascal Hambourg
2006-09-01  1:20       ` Jonas Meurer
2006-09-01  2:22         ` Pascal Hambourg
2006-09-02 14:27           ` Jonas Meurer [this message]
2006-09-02 15:17             ` Pascal Hambourg
2006-09-03 16:29               ` Jonas Meurer
2006-09-03 17:35                 ` Pascal Hambourg
2006-08-31 17:30 ` Damjan
2006-08-31 22:48   ` Jonas Meurer
2006-09-01  5:59     ` Rob Sterenborg
2006-09-02 14:29       ` Jonas Meurer
2006-09-02 15:16         ` Steffen Heil
2006-09-02 16:14         ` Rob Sterenborg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060902142712.GA31352@freesources.org \
    --to=jonas@freesources.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.