DSM-G600, DNS-3xx and NSA-220 Hack Forum

creepwood · 2007-05-30 15:07:22

I have my 323 ont he inside. the ftp is accessible localy, but not externally. the port forwarding has been set up but not response. I've tried using my computer on the same local IP with the computers port 21 and no problems. so there is really nothing wrong with the port forwarding.

is there a limit to that only ip's from the same subnet 255.255.255.0 can connect? or what else can it be?

fordem · 2007-05-30 15:42:12

I'd say something is wrong with your config - I've used mine like that without problems on a couple of occassions. Did you configure a default gateway on the DNS323?

Last edited by fordem (2007-05-30 15:43:10)

creepwood · 2007-05-31 02:47:23

yeah that was the problem. but pasv is not working, should I put the external IP as the gateway to get it to work like that?

houndog · 2007-05-31 03:10:44

Fordem, what should the default gateway address be?

creepwood, I found that if you can access your ftp from inside your network, it doesn't follow that outsiders can get in.

However, when i configured port 21, they could. I also forwarded 20 ports in a random range like we do with standard software servers. But, when I use a non-standard port--other than 21, no connection possible.

I requested tech support from D-Link (Canada). Described the problem and got a response this evening asking if I had "correctly forwarded the non-standard port". I told them in my email that I forwarded the port in the router. So, still out to lunch here.

fordem · 2007-05-31 04:01:50

The default gateway address is the address of ... well ... ah, your default gateway

For most of us it's going to be our broadband firewall/router, and in most cases 192.168.0.1 or 192.168.1.1. At a windows PC that has internet access, you can go to a command prompt and type ipconfig /all and you'llsee the default gateway listed in the output.

Quick tcp/ip primer - when a network host (source) needs to communicate with another network host (destination), it first determines if the destination is local or not, if it's local, the two can communicate directly, if it's not, the source needs to know how to reach the destination, if the details are not specified in host's routing tables, it sends the data to "the default gateway" which would be a device that knows how to reach other networks, and presumably the destination host.

Most home users have what is known as a "stub" network - a network with only one connection to the outside world - the broadband router/firewall. If you don't have a typical home network, find your network administrator and ask them what the default gateway should be.

It should be noted here for completeness, that broadband firewall/routers, by design, block traffic that originates on the internet, which creates the situation that houndog describes, no one from outside can get access until port 21 is fowarded, I haven't tested it personally but non-standard ports should also be possible provided the non-standard port is forwarded correctly - for example my D-Link firewall would allow me to forward port 2100 on the external interface to port 21 of the ip address I specify. I can choose what external ports I wish to forward to what internal port.

After the port forwarding has been configured on the router, the gateway MUST be set on the NAS, or the NAS will not know how to respond to the incoming requests.

BTW - a side effect of this is that a device without a default gateway setting can only communicate locally - so leaving the default gateway setting blank is a very effective way of securing your NAS from external access.

Last edited by fordem (2007-05-31 04:02:49)

houndog · 2007-06-01 02:36:26

fordem. I need to print this out and read it a few dozen times. Thank you for this. I'm a little confused. When I used server programs in Windows in the past, I would pick a port, like 10,000 and that would be the listening port, then choose in the server program a range of PASV ports, say 34000 to 34040. I would forward port 10000 and ports 34000-40 in the router and voila, success.

Just checked and my default gateway is my router address and the DNS1 address also seems to be correct.

I'm pretty much left with the concept of pasv ports. Am I missing something? My Linksys router is pretty simply and it's easy to forward ports. Does the DNS ftp program understand which ones it's supposed to use? Shadowandy seemed to think it's a problem of writing the instructions to the DNS--I guess via linux instructions? This is way beyond my current level of knowledge. He referred me to etc/ftpaccess, if I recall correctly. I'm not sure what he meant. he has a beautiful site, but I'm still OTL.

Last edited by houndog (2007-06-01 02:47:07)

fordem · 2007-06-01 03:50:31

I'm not that familiar with passive ftp - pasv - I've never had the need to look at it.

Regular ftp uses two ports - 20 as the data port, and 21 as the control port - the ftp client contacts the server on port 21 and the server sends the data back on port 20. This apparently can fail because of the firewall at the client end, not recognising the server's response as belonging to an existing client session and blocking it. Passive ftp gets around this problem by using the pasv command to create a second connection to the server originating at the client end so that the firewall allows the traffic to flow.

As you have stated this requires the ftp server to be told what the control port is (10000 in your example) and a range of pasv ports provided (34000-34040) and these ports to be forwarded at the server end.

I don't know if the DNS323 supports passive ftp, I would assume not as I don't see anywhere to specify the pasv ports, but I could be wrong on that. I have, however, forwarded port 21 to the ip address of the DNS323 and sucessfully transferred files from it across the internet using ftp to a Windows SBS2003 server using ftp from the command prompt, so I know that regular ftp does work.

mykroft · 2007-06-01 09:12:32

There is a port range commented out in the ftp config file - but I dont know if the ftp program supports it.

Will have to try.

Normal setup is to forward public port (ex 2100) to private port (21) and then a range (60000-60010) forwarded to the dns box ip and then the ftp program told to use those ports on passive connections.

here is my current /etc/ftpaccess file:

Code:

#FTPConf=V1.04
#start
#FTProot=/mnt/HD_a2
#FTPport=21
#anonymous=no
class   all   real,guest,anonymous  *

limit all  5 Any /etc/ftpmaxnumber

ul-dl-rate 50 all

throughput  /mnt  *  * oo - *

timeout idle 120
timeout maxidle 120
timeout accept 120

#passive  ports  0.0.0.0/0    65501   65510
pasv-allow all *

restricted-uid *

noretrieve /home/ftp

readme  README*    login
readme  README*    cwd=*

message /welcome.msg            login
message .message                cwd=*

compress        yes             all
tar             yes             all
chmod           yes             all
delete          yes             all
overwrite       yes             all
rename          yes             all
umask           yes             all

log commands real
log transfers anonymous,real inbound,outbound

I am gonna take out the # on the passive ports and set the range and see what happens

myk

Last edited by mykroft (2007-06-01 09:12:49)

houndog · 2007-06-01 16:25:41

Interesting mykroft. I'm still a newbie in re Linux and getting into the DNS o/s. How do you do that?

It's starting to get a little more clear

mykroft · 2007-06-01 21:27:47

you would have to edit it via a telnet connection hence the gui provided by Dlink does not have those options

DNS-323 Talker · 2007-06-01 21:36:32

One way (my noob way) to edit files that are locations that can't be seen from a Windows file/open dialog, is to telnet to the box, copy the file to /mnt/HD_a2/edit_pool using the cp command in the telnet session, and then edit the file from the edit_pool location using EditPad Lite (free windows linux-friendly text editor). I then save the file to a modified name (so the original remains unmodified if I need it) and then copy the modified file back to the original location/name using a cp command via telnet.

A kludge, but works for me.

mykroft · 2007-06-05 20:33:14

Sorry, forgot about this thread....

I will test the port forwarding options in the ftpaccess from work today.

One thing I did find out, changes to the file are lost over a reboot, I dont know if this file is generated upon bootup? or if the ftp software is looking at another file somewhere. Time to start hunting I guess.

Myk

DSM-G600, DNS-3xx and NSA-220 Hack Forum

Announcement

#1 2007-05-30 15:07:22

ftp port forwarding not accesible

#2 2007-05-30 15:42:12

Re: ftp port forwarding not accesible

#3 2007-05-31 02:47:23

Re: ftp port forwarding not accesible

#4 2007-05-31 03:10:44

Re: ftp port forwarding not accesible

#5 2007-05-31 04:01:50

Re: ftp port forwarding not accesible

#6 2007-06-01 02:36:26

Re: ftp port forwarding not accesible

#7 2007-06-01 03:50:31

Re: ftp port forwarding not accesible

#8 2007-06-01 09:12:32

Re: ftp port forwarding not accesible

Code:

#9 2007-06-01 16:25:41

Re: ftp port forwarding not accesible

#10 2007-06-01 21:27:47

Re: ftp port forwarding not accesible

#11 2007-06-01 21:36:32

Re: ftp port forwarding not accesible

#12 2007-06-05 20:33:14

Re: ftp port forwarding not accesible

Board footer