* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood
@ 2008-05-26 19:24 Filippo Zeus
2008-05-26 19:39 ` whiplash
0 siblings, 1 reply; 15+ messages in thread
From: Filippo Zeus @ 2008-05-26 19:24 UTC (permalink / raw)
To: netfilter
That's true ... proftpd has been configured to encrypt auth+data
so the PORT command is sent in cleartext way.
I you read
question Using mod_tls, FTP sessions through my firewall now no longer
work. What's going on?
at http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html
proftpd developers suggest to do this to fix this problem...
but it do not work.
please help
> There's no bug, indeed.
> Conntrack helper simply *can't* see the PORT command, since the packet
> payload
> is encrypted.
>
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 19:24 iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood Filippo Zeus @ 2008-05-26 19:39 ` whiplash 2008-05-26 20:00 ` Filippo Zeus 0 siblings, 1 reply; 15+ messages in thread From: whiplash @ 2008-05-26 19:39 UTC (permalink / raw) To: netfilter Filippo Zeus ha scritto: > That's true ... proftpd has been configured to encrypt auth+data > so the PORT command is sent in cleartext way. > > I you read > question Using mod_tls, FTP sessions through my firewall now no longer > work. What's going on? > at http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html > > proftpd developers suggest to do this to fix this problem... > but it do not work. Did you verify, by using for example tcpdump, that th client is actually using CCC, sending commands in clear text? ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 19:39 ` whiplash @ 2008-05-26 20:00 ` Filippo Zeus 2008-05-26 20:41 ` Patrick McHardy 2008-05-26 22:05 ` Jan Engelhardt 0 siblings, 2 replies; 15+ messages in thread From: Filippo Zeus @ 2008-05-26 20:00 UTC (permalink / raw) To: netfilter thanks for your help at first ! yes. and i've tested tons of clients (ftp-ssl, filezilla, hated M$-IE). unfortunatly tcpdump has confirmed my prefeeling. Also, reading at proftpd log i can see that encrypted channel is switched off after PASS command and stay on only for the data channel. I'm not shure, cause i'm not a developer, but i think that ftp_conntrak module open a port *ONLY* if it read first the USER command, then the PASS command, then PASV/PORT commands not simply if a (cleartext) PORT command came from the ftp client. > Did you verify, by using for example tcpdump, that th client is > actually using > CCC, sending commands in clear text? > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 20:00 ` Filippo Zeus @ 2008-05-26 20:41 ` Patrick McHardy 2008-05-27 1:14 ` Filippo Zeus 2008-05-26 22:05 ` Jan Engelhardt 1 sibling, 1 reply; 15+ messages in thread From: Patrick McHardy @ 2008-05-26 20:41 UTC (permalink / raw) To: filippozeus; +Cc: netfilter Filippo Zeus wrote: > thanks for your help at first ! > > yes. and i've tested tons of clients (ftp-ssl, filezilla, hated M$-IE). > unfortunatly tcpdump has confirmed my prefeeling. > Also, reading at proftpd log i can see that encrypted channel is > switched off after PASS command > and stay on only for the data channel. > > I'm not shure, cause i'm not a developer, but i think that > ftp_conntrak module open a port *ONLY* if > it read first the USER command, then the PASS command, then PASV/PORT > commands > not simply if a (cleartext) PORT command came from the ftp client. Please send a tcpdump. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 20:41 ` Patrick McHardy @ 2008-05-27 1:14 ` Filippo Zeus 2008-05-27 7:39 ` Patrick McHardy 2008-05-27 7:49 ` whiplash 0 siblings, 2 replies; 15+ messages in thread From: Filippo Zeus @ 2008-05-27 1:14 UTC (permalink / raw) To: netfilter Considering ftp-control port is text based i've dumped with -A switch. I hope it's ok ********** TCPDUMP LOG STARTS HERE ********** [zeus@augustus ~] % sudo tcpdump -A -i ppp0 -n tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ppp0, link-type PPP (PPP), capture size 96 bytes 03:05:57.045277 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: S 834183062:834183062(0) win 8192 <mss 1460,nop,wscale 3,nop,nop,timestamp 538543633 0,sackOK,eol> 2....1......... ................ ........... 03:05:58.008113 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: S 834183062:834183062(0) win 8192 <mss 1460,nop,wscale 3,nop,nop,timestamp 538543642 0,sackOK,eol> 2....1......... ................ ........... 03:05:58.289943 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: S 3283700948:3283700948(0) ack 834183063 win 5840 <mss 1420,nop,nop,sackOK,nop,wscale 7> 2.P.?......L.1....................... 03:05:58.290033 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1 win 1024 2....1.....L.P....Y..+ 03:05:59.103851 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: S 3283700948:3283700948(0) ack 834183063 win 5840 <mss 1420,nop,nop,sackOK,nop,wscale 7> 2.P.?......L.1....................... 03:05:59.103934 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1 win 1024 2....1.....L.P....Y..+ 03:05:59.149005 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1:71(70) ack 1 win 46 2.P.?......L.1...P....`..220 FTP Server ready. Please use FTP-TLS or login wi 03:05:59.149078 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 71 win 1024 2....1.....M.P.......+ 03:05:59.149759 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1:11(10) ack 71 win 1024 2....1.....M.P.......AUTH TLS 03:05:59.700919 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 11 win 46 2.P.?......M.1...P....... 03:05:59.700939 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 71:96(25) ack 11 win 46 2.P.?......M.1...P...O...234 AUTH TLS successful 03:05:59.701036 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 96 win 1024 2....1.....M4P.......+ 03:05:59.706276 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 11:95(84) ack 96 win 1024 2....1.....M4P...L.......O...K..H;^w.i} ..\*.+....'b..]...5`.O....$.3.E.9 03:06:00.416441 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1516:1666(150) ack 95 win 46 2.P.?......R.1...P....[...)E..5O......tsp.+).)..W[H..u.)IP..&....XZr...~.<... 03:06:00.416535 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 96 win 1024 <nop,nop,sack 1 {1516:1666}> 2....1.....M4........... ..R...SV 03:06:00.435501 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . 96:1516(1420) ack 95 win 46 2.P.?......M41...P...........J...F..H;^x2...qYQP..H:=...H%I=3..X.... ....... 03:06:00.435594 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1666 win 1024 2....1.....SVP....z..+ 03:06:00.506622 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 95:234(139) ack 1666 win 1024 2....1.....SVP..................8......(......k.8.v.....~W.y...!Ot....... 03:06:01.200890 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 234 win 54 2.P.?......SV1...P..6.... 03:06:01.200956 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 234:437(203) ack 1666 win 1024 X?..A...M'........$..M.S.........../..X........ 03:06:01.882933 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 437 win 63 2.P.?......SV1..KP..?.... 03:06:01.882941 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1666:1725(59) ack 437 win 63 2.P.?......SV1..KP..?..............0....9.../!L.]..z^..5&VEL....D..^-...S...- 03:06:01.883016 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1725 win 1024 2....1..K..S.P.......+ 03:06:01.903140 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 437:650(213) ack 1725 win 1024 ...&q..p0.......$]..........M.}..{..^`v..o....H.1.. 03:06:02.666951 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1725:1794(69) ack 650 win 71 2.P.?......S.1.. P..Gz.......@)C.#.B1....9....6.=u..6......&..4<...,F..#.y..* 03:06:02.667022 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1794 win 1024 2....1.. ..S.P.......+ 03:06:02.681297 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 650:719(69) ack 1794 win 1024 2....1.. ..S.P....`......@...T././......s.. D..k#......X..V.F......Phv,.. 03:06:03.288189 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1794:1975(181) ack 719 win 71 2.P.?......S.1..eP..G..........,.........;......c7m.~r.._#..OFw.P.`d@F..%...f 03:06:03.288267 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 1975 win 1024 2....1..e..T.P.......+ 03:06:03.292196 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 719:900(181) ack 1975 win 1024 2....1..e..T.P...W>.........>.. ..D0.....@.M.'...c".... B........l.T..... 03:06:04.047064 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1975:2028(53) ack 900 win 80 2.P.?......T.1...P..P........0.7D...y..9iC..p%f...kM;.rg|n).l)I.&..-.!4.OH... 03:06:04.047141 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2028 win 1024 2....1.....T.P.......+ 03:06:04.051879 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 900:953(53) ack 2028 win 1024 &....1.....T.P...........0.a.......rR..Y....}..:....7O.E.k.< .'.m/.. 03:06:04.781092 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 2028:2097(69) ack 953 win 80 2.P.?......T.1..OP..Py.......@.u_U=.g........ .......^..c.|..9.. 03:06:04.781176 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2097 win 1024 2....1..O..U.P....q..+ 03:06:04.793662 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 953:1054(101) ack 2097 win 1024 ...!E...: 2....1..O..U.P...........`...8_B.|2.`..$.>....W&.#.8.D..J.o.8..Z,.......+ 03:06:05.417095 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 2097:2166(69) ack 1054 win 80 2.P.?......U.1...P..P\ ......@..8.....]..K....=\...v3..;Z0K....A=u.....3MRg.M 03:06:05.417171 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2166 win 1024 2....1.....UJP....... 03:06:05.422336 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1054:1267(213) ack 2166 win 1024 2....1.....UJP....k............if6.J=.wyJ.....nIp....4cS.]....^2.x..*.D.I 03:06:06.211021 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 2166:2219(53) ack 1267 win 88 2.P.?......UJ1...P..X........0mr...1......w....5..aD.k....H..A.I..5~...eHk#|: 03:06:06.211102 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2219 win 1024 2....1.....U.P.......+ 03:06:06.215691 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1267:1480(213) ack 2219 win 1024 2....1.....U.P..............Y[,.s....d.)...h....]..W[W%...C4U.#... .}.c.A 03:06:06.985733 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 2219:2304(85) ack 1480 win 96 2.P.?......U.1..^P..`.`......PH...5/.u.....!....8.z..V/{.qx..;..._.v...b.\.N" 03:06:06.985773 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 2304 win 1024 2....1..^..U.P.......+ 03:06:06.990020 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 2291999512:2291999512(0) win 8192 <mss 1460,nop,wscale 3,nop,nop,timestamp 538543732 0,sackOK,eol> 2......#....... .R!............. ..t........ 03:06:06.990156 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1480:1533(53) ack 2304 win 1024 2....1..^..U.P.....?M+ ......0..|c.%....RM.f.ja.*....s.....}..^]....l*m=eE+.Q 03:06:07.703988 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 1533 win 96 2.P.?......U.1...P..`.... 03:06:07.921114 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 2291999512:2291999512(0) win 8192 <mss 1460,nop,wscale 3,nop,nop,timestamp 538543741 0,sackOK,eol> 2......#....... .R.............. ..}........ 03:06:08.922451 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 2291999512:2291999512(0) win 8192 <mss 1460,nop,wscale 3,nop,nop,timestamp 538543751 0,sackOK,eol> 2......#....... .R.............. ........... 03:06:09.923976 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 2291999512:2291999512(0) win 8192 <mss 1460,sackOK,eol> ...!E..0<^@.@. 2......#.....p. .E........... 03:06:10.925518 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 2291999512:2291999512(0) win 8192 <mss 1460,sackOK,eol> 2......#.....p. .E........... 03:06:11.926834 IP 151.80.2.63.55195 > ***HIDDEN_IP***.42770: S 2291999512:2291999512(0) win 8192 <mss 1460,sackOK,eol> 2......#.....p. .E........... ^C 52 packets captured 53 packets received by filter 0 packets dropped by kernel [zeus@augustus ~] % ********** TCPDUMP LOG ENDS HERE ********** > Please send a tcpdump. > ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-27 1:14 ` Filippo Zeus @ 2008-05-27 7:39 ` Patrick McHardy 2008-05-27 7:46 ` Jan Engelhardt 2008-05-27 7:49 ` whiplash 1 sibling, 1 reply; 15+ messages in thread From: Patrick McHardy @ 2008-05-27 7:39 UTC (permalink / raw) To: filippozeus; +Cc: netfilter Filippo Zeus wrote: > Considering ftp-control port is text based i've dumped with -A switch. I > hope it's ok > > 03:05:59.149005 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1:71(70) > ack 1 win 46 > 2.P.?......L.1...P....`..220 FTP Server ready. Please use FTP-TLS or > login wi > 03:05:59.149078 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 71 win > 1024 > 2....1.....M.P.......+ > 03:05:59.149759 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1:11(10) > ack 71 win 1024 > 2....1.....M.P.......AUTH TLS > > 03:05:59.700919 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 11 win 46 > 2.P.?......M.1...P....... > 03:05:59.700939 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 71:96(25) > ack 11 win 46 > 2.P.?......M.1...P...O...234 AUTH TLS successful > > 03:05:59.701036 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 96 win > 1024 > 2....1.....M4P.......+ > 03:05:59.706276 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 11:95(84) > ack 96 win 1024 > 2....1.....M4P...L.......O...K..H;^w.i} ..\*.+....'b..]...5`.O....$.3.E.9 > 03:06:00.416441 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P > 1516:1666(150) ack 95 win 46 > 2.P.?......R.1...P....[...)E..5O......tsp.+).)..W[H..u.)IP..&....XZr...~.<... Its a bit hard to read, but this looks like your client also encrypts the control connection, which explains why FTP conntrack doesn't work. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-27 7:39 ` Patrick McHardy @ 2008-05-27 7:46 ` Jan Engelhardt 0 siblings, 0 replies; 15+ messages in thread From: Jan Engelhardt @ 2008-05-27 7:46 UTC (permalink / raw) To: Patrick McHardy; +Cc: filippozeus, netfilter On Tuesday 2008-05-27 09:39, Patrick McHardy wrote: > Filippo Zeus wrote: >> Considering ftp-control port is text based i've dumped with -A switch. I hope >> it's ok >> >> 03:05:59.149005 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1:71(70) ack 1 >> win 46 >> 2.P.?......L.1...P....`..220 FTP Server ready. Please use FTP-TLS or login wi >> 03:05:59.149078 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 71 win 1024 >> 2....1.....M.P.......+ >> 03:05:59.149759 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 1:11(10) ack 71 >> win 1024 >> 2....1.....M.P.......AUTH TLS >> >> 03:05:59.700919 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: . ack 11 win 46 >> 2.P.?......M.1...P....... >> 03:05:59.700939 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 71:96(25) ack 11 >> win 46 >> 2.P.?......M.1...P...O...234 AUTH TLS successful >> >> 03:05:59.701036 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: . ack 96 win 1024 >> 2....1.....M4P.......+ >> 03:05:59.706276 IP 151.80.2.63.55194 > ***HIDDEN_IP***.21: P 11:95(84) ack 96 >> win 1024 >> 2....1.....M4P...L.......O...K..H;^w.i} ..\*.+....'b..]...5`.O....$.3.E.9 >> 03:06:00.416441 IP ***HIDDEN_IP***.21 > 151.80.2.63.55194: P 1516:1666(150) >> ack 95 win 46 >> 2.P.?......R.1...P....[...)E..5O......tsp.+).)..W[H..u.)IP..&....XZr...~.<... > > > Its a bit hard to read, but this looks like your client also > encrypts the control connection, which explains why FTP > conntrack doesn't work. `tcpdump -Xs0` is preferred; unless the encryption is temporarily dropped using the CCC command to make the PASV/PORT commands in plaintext, the stream is not analyzable. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-27 1:14 ` Filippo Zeus 2008-05-27 7:39 ` Patrick McHardy @ 2008-05-27 7:49 ` whiplash 1 sibling, 0 replies; 15+ messages in thread From: whiplash @ 2008-05-27 7:49 UTC (permalink / raw) To: netfilter Filippo Zeus ha scritto: > Considering ftp-control port is text based i've dumped with -A switch. I > hope it's ok [cut] > 52 packets captured > 53 packets received by filter > 0 packets dropped by kernel It seems to me that the whole traffic is encrypted: there's no PASV and no LIST in the hard-to-read tcpdump you sent (hiding ip is useless, since you already sent the protfpd.conf with the true ServerName...) ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 20:00 ` Filippo Zeus 2008-05-26 20:41 ` Patrick McHardy @ 2008-05-26 22:05 ` Jan Engelhardt 2008-05-26 22:32 ` Jan Engelhardt 2008-05-26 22:32 ` whiplash 1 sibling, 2 replies; 15+ messages in thread From: Jan Engelhardt @ 2008-05-26 22:05 UTC (permalink / raw) To: Filippo Zeus; +Cc: netfilter, kaber On Monday 2008-05-26 22:00, Filippo Zeus wrote: > I'm not shure, cause i'm not a developer, but i think that ftp_conntrak module > open a port *ONLY* if > it read first the USER command, then the PASS command, then PASV/PORT commands > not simply if a (cleartext) PORT command came from the ftp client. It sets up an expectation once it sees PORT/EPRT/PASV/EPSV, regardless of USER/PASS. It does *NOT* recognize the TLS commands SSCN/CPSV, which is probably the problem, if you claim that the control connection is clear-text. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 22:05 ` Jan Engelhardt @ 2008-05-26 22:32 ` Jan Engelhardt 2008-05-26 22:32 ` whiplash 1 sibling, 0 replies; 15+ messages in thread From: Jan Engelhardt @ 2008-05-26 22:32 UTC (permalink / raw) To: Filippo Zeus; +Cc: netfilter, kaber On Tuesday 2008-05-27 00:05, Jan Engelhardt wrote: >On Monday 2008-05-26 22:00, Filippo Zeus wrote: > >> I'm not shure, cause i'm not a developer, but i think that ftp_conntrak module >> open a port *ONLY* if >> it read first the USER command, then the PASS command, then PASV/PORT commands >> not simply if a (cleartext) PORT command came from the ftp client. > >It sets up an expectation once it sees PORT/EPRT/PASV/EPSV, >regardless of USER/PASS. > >It does *NOT* recognize the TLS commands SSCN/CPSV, >which is probably the problem, if you claim that the control >connection is clear-text. Ah never mind, SSL using SSCN/CPSV seems obsolete since long. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 22:05 ` Jan Engelhardt 2008-05-26 22:32 ` Jan Engelhardt @ 2008-05-26 22:32 ` whiplash 2008-05-27 1:30 ` Filippo Zeus 1 sibling, 1 reply; 15+ messages in thread From: whiplash @ 2008-05-26 22:32 UTC (permalink / raw) To: netfilter Jan Engelhardt ha scritto: > It does *NOT* recognize the TLS commands SSCN/CPSV, Aren't these extensions used only in FXP? ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 22:32 ` whiplash @ 2008-05-27 1:30 ` Filippo Zeus 0 siblings, 0 replies; 15+ messages in thread From: Filippo Zeus @ 2008-05-27 1:30 UTC (permalink / raw) To: netfilter i do not know, but I'm using filezilla client. here are logs. I Hope this helps Stato: Risoluzione dell'indirizzo IP in corso per ftp.lifesaver.it Trace: ControlSocket.cpp(979): CRealControlSocket::ContinueConnect(0x1650c678) m_pEngine=0x154cbd30 caller=0x8f7c28 Stato: Connessione a ***HIDDEN_IP***:21 in corso... Stato: Connessione stabilita, in attesa del messaggio di benvenuto... Trace: CFtpControlSocket::OnReceive() Risposta: 220 FTP Server ready. Please use FTP-TLS or login will be rejected. Trace: CFtpControlSocket::SendNextCommand() Comando: AUTH TLS Trace: CFtpControlSocket::OnReceive() Risposta: 234 AUTH TLS successful Stato: Inizializzazione TLS in corso... Trace: CTlsSocket::Handshake() Trace: CFtpControlSocket::SendNextCommand() Comando: USER ftp_temp Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: CTlsSocket::Handshake() Trace: Handshake successful Trace: Cipher: AES-128-CBC, MAC: SHA1 Stato: Verifica del certificato in corso (checking cert.)... Stato: Connessione TLS/SSL established. Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Risposta: 331 Password required for ftp_temp Trace: CFtpControlSocket::SendNextCommand() Comando: PASS ********** Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Risposta: 230 Welcome ! Trace: CFtpControlSocket::SendNextCommand() Comando: PBSZ 0 Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Risposta: 200 PBSZ 0 successful Trace: CFtpControlSocket::SendNextCommand() Comando: PROT P Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Risposta: 200 Protection set to Private Stato: Connesso (connected) Trace: CFtpControlSocket::ResetOperation(0) Trace: CControlSocket::ResetOperation(0) Stato: Lettura elenco cartelle... (Reading folders list) Trace: CFtpControlSocket::SendNextCommand() Trace: CFtpControlSocket::ChangeDirSend() Comando: PWD Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Risposta: 257 "/" is the current directory Trace: CFtpControlSocket::ResetOperation(0) Trace: CControlSocket::ResetOperation(0) Trace: CFtpControlSocket::ParseSubcommandResult(0) Trace: CFtpControlSocket::ListSubcommandResult() Trace: CFtpControlSocket::SendNextCommand() Trace: CFtpControlSocket::TransferSend() Comando: TYPE I Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Risposta: 200 Type set to I Trace: CFtpControlSocket::TransferParseResponse() Trace: CFtpControlSocket::SendNextCommand() Trace: CFtpControlSocket::TransferSend() Comando: PASV Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Trace: CFtpControlSocket::OnReceive() Risposta: 227 Entering Passive Mode (77,43,13,50,167,18). Trace: CFtpControlSocket::TransferParseResponse() Trace: CFtpControlSocket::SendNextCommand() Trace: CFtpControlSocket::TransferSend() Comando: LIST Trace: CFtpControlSocket::OnReceive() Errore: Tempo scaduto per la connessione Trace: CFtpControlSocket::ResetOperation(2114) Trace: CControlSocket::ResetOperation(2114) Trace: CFtpControlSocket::ResetOperation(2114) Trace: CControlSocket::ResetOperation(2114) Errore: Non è stato possibile leggere il contenuto della cartella (can't read folder content) whiplash ha scritto: > > Aren't these extensions used only in FXP? > -- ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <483B04A8.9000405@gmail.com>]
* iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood [not found] <483B04A8.9000405@gmail.com> @ 2008-05-26 18:51 ` Filippo Zeus 2008-05-26 19:07 ` whiplash 2008-05-26 19:28 ` Jan Engelhardt 0 siblings, 2 replies; 15+ messages in thread From: Filippo Zeus @ 2008-05-26 18:51 UTC (permalink / raw) To: netfilter Hi, i think the ftp_contrack module has a bug. I'm setting up proftpd 1.3.1 with TLS for encrypting auth+data only traffic to let ftp_conntrack module understand the port command when a client connects to the server using a PASV mode. Look at link below and search for question Using mod_tls, FTP sessions through my firewall now no longer work. What's going on? ftp_conntrack module probably do no understand the port command so it do not open the port. Tryed to define a limited passive ports in proftpd.conf and setted up iptables to ACCEPT any conection in this range fixed the problem. But pratically i've bypassed the ftp_conntrack module. Here are system infos and main configuration parts. Debian Lenny uname -a Linux debian 2.6.24-1-amd64 #1 SMP Thu Mar 27 16:52:38 UTC 2008 x86_64 GNU/Linux __________ iptables -V iptables v1.4.0 ________ proftpd -V Compile-time Settings: Version: 1.3.1 Platform: LINUX Built With: configure --prefix=/usr --with-includes=/usr/include/postgresql:/usr/include/mysql --mandir=/usr/share/man --sysconfdir=/etc/proftpd --localstatedir=/var/run --libexecdir=/usr/lib/proftpd --enable-sendfile --enable-facl --enable-dso --enable-autoshadow --enable-ctrls --with-modules=mod_readme --enable-ipv6 --build x86_64-linux-gnu --with-shared=mod_site_misc:mod_load:mod_ban:mod_quotatab:mod_sql:mod_sql_mysql:mod_sql_postgres:mod_quotatab_sql:mod_ldap:mod_quotatab_ldap:mod_ratio:mod_tls:mod_rewrite:mod_radius:mod_wrap:mod_wrap2:mod_wrap2_file:mod_wrap2_sql:mod_quotatab_file:mod_quotatab_radius:mod_facl:mod_ctrls_admin:mod_ifsession CFLAGS: -O2 -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -DHAVE_OPENSSL -DUSE_LDAP_TLS -Wall -Wno-long-double LDFLAGS: -L$(top_srcdir)/lib LIBS: -lsupp -lcrypt Files: Configuration File: /etc/proftpd/proftpd.conf Pid File: /var/run/proftpd.pid Scoreboard File: /var/run/proftpd/proftpd.scoreboard Shared Module Directory: /usr/lib/proftpd Features: + Autoshadow support + Controls support + curses support - Developer support + DSO support + IPv6 support + Largefile support - Lastlog support + ncurses support - NLS support + OpenSSL support + POSIX ACL support + Shadow file support + Sendfile support + Trace support Tunable Options: PR_TUNABLE_BUFFER_SIZE = 1024 PR_TUNABLE_GLOBBING_MAX = 8 PR_TUNABLE_HASH_TABLE_SIZE = 40 PR_TUNABLE_NEW_POOL_SIZE = 512 PR_TUNABLE_RCVBUFSZ = 8192 PR_TUNABLE_SCOREBOARD_BUFFER_SIZE = 80 PR_TUNABLE_SCOREBOARD_SCRUB_TIMER = 30 PR_TUNABLE_SELECT_TIMEOUT = 30 PR_TUNABLE_SNDBUFSZ = 8192 PR_TUNABLE_TIMEOUTIDENT = 10 PR_TUNABLE_TIMEOUTIDLE = 600 PR_TUNABLE_TIMEOUTLINGER = 180 PR_TUNABLE_TIMEOUTLOGIN = 300 PR_TUNABLE_TIMEOUTNOXFER = 300 PR_TUNABLE_TIMEOUTSTALLED = 3600 PR_TUNABLE_XFER_BUFFER_SIZE = 1024 PR_TUNABLE_XFER_SCOREBOARD_UPDATES = 10 ___________ *** CONFIGURATIONS **** cat /etc/proftpd/proftpd.conf # Includes DSO modules Include /etc/proftpd/modules.conf UseIPv6 off ServerName "ftp.foo.barl" ServerType standalone ServerAdmin support@foo.bar UseReverseDNS off DeferWelcome off MultilineRFC2228 on DefaultServer off DefaultAddress 127.0.0.1 TimeoutNoTransfer 600 TimeoutStalled 600 TimeoutIdle 1200 DisplayLogin "README" #DisplayFirstChdir .message ListOptions "-l" DenyFilter \*.*/ Port 21 MaxInstances 50 User proftpd Group nogroup Umask 000 AllowOverwrite on UseSendFile off TransferLog /var/log/proftpd/main.log SystemLog /var/log/proftpd/system.log LogFormat default "%t USER: SEND %r " LogFormat extended "%t USER: %u (from IP %a ) send CMD: %r REPLY: %s (Transfer %b bytes in %T sec.)" SocketBindTight off <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSProtocol SSLv23 TLSOptions NoCertRequest TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off </IfModule> <IfModule mod_quota.c> QuotaEngine on </IfModule> <IfModule mod_ratio.c> Ratios on </IfModule> <IfModule mod_delay.c> DelayEngine on </IfModule> <IfModule mod_ctrls.c> ControlsEngine on ControlsMaxClients 2 ControlsLog /var/log/proftpd/controls.log ControlsInterval 5 ControlsSocket /var/run/proftpd/proftpd.sock </IfModule> <IfModule mod_ctrls_admin.c> AdminControlsEngine on </IfModule> <Global> PassivePorts 32768 32778 MaxLoginAttempts 2 ServerIdent on " " ExtendedLog /var/log/proftpd/Activity.log AUTH default ExtendedLog /var/log/proftpd/Activity.log WRITE,READ extended DefaultRoot ~ AllowRetrieveRestart on MaxClients 30 "SERVER_BUSY: Please retry. NOTE: The Accident will be reported to System Administrator" MaxClientsPerHost 5 "ERROR: You can't open more than five (5) session form the same host. Close an FTP session or retry later." AllowStoreRestart on DeleteAbortedStores off LoginPasswordPrompt off AccessDenyMsg "ERROR: Incorrect Login! Please Retry. NOTE: The Accident will be reported to System Admnistrator" AccessGrantMsg "Welcome to lifesaver FTP service, DO NOT FORGET TO SWITCH to TLS/SSL FTP ! ... and please keep in mind all your actions here will be logged! " DefaultTransferMode binary IdentLookups off HiddenStores off ShowSymlinks off DirFakeGroup on ftp DirFakeUser on ftp AllowOverwrite on WtmpLog on RootLogin off AuthAliasOnly off PathDenyFilter "\\.(ftpaccess|htaccess)$" ListOptions "-l" DisplayConnect "Welcome to xxxxxx. Please Login ... " DisplayGoAway "Welcome to xxxxxx ... Sorry, too many user are logged in ... Please retry later" AuthOrder mod_auth_file.c RequireValidShell no AuthUserFile /etc/proftpd/passwd <Limit SITE_CHMOD> DenyAll </Limit> <IfModule mod_delay.c> DelayEngine on </IfModule> </Global> <VirtualHost xx.xxx.x.x> ServerName "ftp.lifesaver.it" ServerIdent on "FTP Server ready. Please use FTP-TLS or login will be rejected. " TransferLog /var/log/proftpd/ftp-lifesaver-it.log <Limit LOGIN> AllowUser ftp_temp Deny All </Limit> <IfModule mod_tls.c> TLSEngine on TLSLog /var/log/proftpd/tls.log TLSOptions NoCertRequest TLSRSACertificateFile /etc/proftpd/ssl/proftpd.cert.pem TLSRSACertificateKeyFile /etc/proftpd/ssl/proftpd.key.pem TLSVerifyClient off TLSRequired auth+data </IfModule> TransferRate RETR 213.0:1024 TransferRate APPE 213.0:1024 TransferRate STOR 2048.0:1024 TransferRate STOU 2048.0:1024 </VirtualHost> ____________ cat /etc/init.d/firewall # Loading ipfilter connection tracking modules echo -n "Loading conntrack modules ... " modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc modprobe ip_nat_ftp # Loading ipfilter rules echo -n "Loading ipfilter rules ... " # Setting Chains State iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT # Drop Ping-Flood iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -j ACCEPT iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -j LOG --log-prefix PING_FLOOD-DROP iptables -A INPUT -p icmp --icmp-type echo-request -j DROP # Allow loopback traffic (lo) iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Allow established connections iptables -A OUTPUT -o $NIC0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -o $NIC2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC1 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i $NIC2 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $NIC0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow new outgoing tcp, udp, icmp connections iptables -A OUTPUT -p tcp -o $NIC0 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -o $NIC1 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p tcp -o $NIC2 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -o $NIC0 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -o $NIC1 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p udp -o $NIC2 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p icmp -o $NIC0 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p icmp -o $NIC1 -m state --state NEW -j ACCEPT iptables -A OUTPUT -p icmp -o $NIC2 -m state --state NEW -j ACCEPT # Drop fragments and invalid packets iptables -A INPUT -f -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix INPUT_FRAG-DROP: iptables -A INPUT -f -j DROP iptables -A INPUT -m state --state INVALID -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix INPUT_INVALID-DROP: iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -f -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix OUTPUT_FRAG-DROP: iptables -A OUTPUT -f -j DROP iptables -A OUTPUT -m state --state INVALID -j LOG --log-prefix OUTPUT_INVALID-DROP: iptables -A OUTPUT -m state --state INVALID -j DROP # Allow FTP from LAN iptables -A INPUT -p tcp --syn -i $NIC0 -s $LANPOOL -d $LAN --dport 21 -m state --state NEW -j ACCEPT # Allow FTP from WAN2 iptables -A INPUT -p tcp --syn -i $NIC2 -d $WAN2 --dport 21 -m state --state NEW -j ACCEPT ## # FTPES Workaround ## iptables -A INPUT -p tcp --syn -i $NIC2 -d $WAN2 --dport 32768:32778 -j ACCEPT # Allow SSH from LAN ... ----- CUTTED HERE ----- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 18:51 ` Filippo Zeus @ 2008-05-26 19:07 ` whiplash 2008-05-26 19:28 ` Jan Engelhardt 1 sibling, 0 replies; 15+ messages in thread From: whiplash @ 2008-05-26 19:07 UTC (permalink / raw) To: filippozeus; +Cc: netfilter Filippo Zeus ha scritto: > ftp_conntrack module probably do no understand the port command so it do > not open the port. There's no bug, indeed. Conntrack helper simply *can't* see the PORT command, since the packet payload is encrypted. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood 2008-05-26 18:51 ` Filippo Zeus 2008-05-26 19:07 ` whiplash @ 2008-05-26 19:28 ` Jan Engelhardt 1 sibling, 0 replies; 15+ messages in thread From: Jan Engelhardt @ 2008-05-26 19:28 UTC (permalink / raw) To: Filippo Zeus; +Cc: netfilter On Monday 2008-05-26 20:51, Filippo Zeus wrote: > Hi, > i think the ftp_contrack module has a bug. > > I'm setting up proftpd 1.3.1 with TLS for encrypting auth+data only traffic to > let ftp_conntrack module understand the port command when a client connects to > the server using a PASV mode. > > Look at link below and search for question > Using mod_tls, FTP sessions through my firewall now no longer work. What's > going on? > > ftp_conntrack module probably do no understand the port command so it do not > open the port. No, it does not understand because you are encrypting the channel with TLS. Simple as that. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2008-05-27 7:49 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-26 19:24 iptables ip_conntrack_ftp + proftpd TLS: PORT command not understood Filippo Zeus
2008-05-26 19:39 ` whiplash
2008-05-26 20:00 ` Filippo Zeus
2008-05-26 20:41 ` Patrick McHardy
2008-05-27 1:14 ` Filippo Zeus
2008-05-27 7:39 ` Patrick McHardy
2008-05-27 7:46 ` Jan Engelhardt
2008-05-27 7:49 ` whiplash
2008-05-26 22:05 ` Jan Engelhardt
2008-05-26 22:32 ` Jan Engelhardt
2008-05-26 22:32 ` whiplash
2008-05-27 1:30 ` Filippo Zeus
[not found] <483B04A8.9000405@gmail.com>
2008-05-26 18:51 ` Filippo Zeus
2008-05-26 19:07 ` whiplash
2008-05-26 19:28 ` Jan Engelhardt
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox