DSM-G600, DNS-3xx and NSA-220 Hack Forum

Mikromann · 2008-12-13 00:38:50

Hi everyone,

i've been able - with some help - to manage quite a lot with my new dns-323 so far.
but sadly i've still got a major problem, which i know exactly how to solve but not where and by what.
i've got my DNS-323 behind a router. so to access my NAS from the web, i need to forward the ftp port to the IP-adress of my NAS.
so far, so good. that's no problem, since thats basic knowledge and has nothing to do with linux
the connection is established, but it ends with the attempt to list files/folder in passive mode, since i have to allow certain ports through my router for passive mode use.
to avoid that problem i could simply establish a connection in active mode, some would say.
but if the connecting user is behind a router too, the NAS gives out an error, since it only wants to establish the connection with the WAN-IP of the user and not the LAN-IP.
so if the connecting user is directly connected to his modem, without a router, the active method is an option.
but since i personally know no one who has got such a setting, i am dependent on using passive mode.
In every ftp-server i configured so far, there has always been the option to define certain ports, which the server should use for passive connections.
but i am totally missing this option in the build-in ftp-daemon.
i've tried to manually edit the ftpd config file in /etc/ but it doesn't have any effect.

so to summarize my problem: i need to specify ports for passive mode use, which i can then allow through my router.

Hope someone can help me on that issue or give me a quick howto for installing an other ftp-daemon, which is more configurable.

Thanks,
Mikro

Last edited by Mikromann (2008-12-13 00:39:33)

fordem · 2008-12-13 00:50:51

I'm one of those who say active mode is an option - even when the client is behind a NAT router - and the reason why I say this, and keep on saying it, is because I have done it several times, and keep on doing it.

I've done it with my DNS-323 behind a Linksys BEFSR41 and the client behind a Cisco SOHO91
I've done it with my DNS-323 behind a Netgear WNR2000 and the client behind a Dynex (Best Buy's housebrand) Wireless-G router, which was at the time the absolute cheapest wireless router I could find.
I've done it with my DNS-323 behind a Netgear FVS12G and the client behind whatever the whichever hotel I happend to be in at the time was using.

In short it really does not matter to me where I am or what router I have been behind on any given day, I have been able to use active ftp to access (both upload & download) my DNS-323 behind whatever router I was using on the given day.

Mikromann · 2008-12-13 01:07:16

log of my ftp-client:
[R] 500 I won't open a connection to 192.168.1.100 (only to xx.66.56.171)
where 192.168.1.100 is my LAN-IP and the other is the WAN-IP.
This is reproducable by any of my friends which tried it, with multiple clients.

edit1:
alright, active works, but only if you use the standard port 21.
since i hadn't set it to 21, the error occured.
but it is still only a temporary solution, because i prefer pasv mode.

edit2:
now, that i've set ftp port to 21, passive mode is working properly too.
so the problem is already solved. although i must still say, that its more like a workaround.

Last edited by Mikromann (2008-12-13 01:34:08)

fordem · 2008-12-13 18:27:09

Mikromann wrote:
log of my ftp-client:
[R] 500 I won't open a connection to 192.168.1.100 (only to xx.66.56.171)
where 192.168.1.100 is my LAN-IP and the other is the WAN-IP.
This is reproducable by any of my friends which tried it, with multiple clients.

Let's assume - for the sake of discussion - that you could define a range of passive ports, it would NOT solve your problem - because the problem as defined by the error message is related to the ip address. The problem here is that the ftp server has asked the ftp client to open a data channel to a different ip address, which your client is refusing to do - this has nothing to do with the port itself.

Even if your client was willing to connect to a different ip address, the address provided is a private ip address which you could not use to make a connection to anyway - some ftp clients will include that information in the error message, referring to it as a "non-routeable" address - which is a poor choice of wording - private address ranges are routable.

edit1:
alright, active works, but only if you use the standard port 21.
since i hadn't set it to 21, the error occured.
but it is still only a temporary solution, because i prefer pasv mode.

You're entitled to your preferences - but as you can see active mode does work even when the client is behind a NAT router, which is the point I was making - you may, depending on the particular NAT router at the client end, also be able to get active mode to work on a non-standard port, provided you can tell the router what port you're using for ftp so that it knows how to deal with the incoming request to establish the data channel.

edit2:
now, that i've set ftp port to 21, passive mode is working properly too.
so the problem is already solved. although i must still say, that its more like a workaround.

Are you sure? Because if you haven't (a) resolved the ip address issue outlined in the error message or (b) forwarded the necessary ports to the DNS-323 - passive won't work, it can't work - perhaps your client tries passive and when that fails tries active which works.

On the issue of preferences - I'd like to point out one thing ...

I can do active ftp with one single port (21) forwarded to my ftp server for the control channel, all other required connections and openings in the firewalls are automatically setup and torn down at the end of the transfer. Compare this to passive, when I need to forward a port for the control channel PLUS a range of ports for the data channel, and these port remain open as long as my ftp server hardware is online - every additional port forwarded through the firewall is another opening for someone to potentially exploit - does that make passive ftp inherently less secure than active? How much of a risk it really is may depend on the range of ports that you select and the operating system running on your ftp server - what are your thoughts?

Mijzelf · 2008-12-13 20:02:09

I *think* Fordem has been lucky and only tried active mode with the client after a 'smart' router. I have seen active mode fail with one router, and succeed with another, on the same broadband connection.
Some routers recognize the use of port 21, and will accept incoming connections on any port, when coming from the same ip.
This is the reason why Micromann only succeeds when using port 21. You can have a look in your router if you can define a 'trigger port', to use the same trick for another port.

Mikromann · 2008-12-14 01:00:19

Mijzelf wrote:
Some routers recognize the use of port 21, and will accept incoming connections on any port, when coming from the same ip.

yup, thats exactly it. only because i set the port to standard ftp port, the router opens up some ports alongside the port 21 for pasv use.

fordem wrote:
edit2:
now, that i've set ftp port to 21, passive mode is working properly too.
so the problem is already solved. although i must still say, that its more like a workaround.

Are you sure? Because if you haven't (a) resolved the ip address issue outlined in the error message or (b) forwarded the necessary ports to the DNS-323 - passive won't work, it can't work - perhaps your client tries passive and when that fails tries active which works.

Yes, i am perfectly sure. And no, it doesn't go over to active mode.
before setting the port to 21 i tried pasv over and over again. after 3 failure pasv connects it automatically tried active/port mode and told me about that.
and this time it definitly is pasv!

fordem wrote:
Let's assume - for the sake of discussion - that you could define a range of passive ports, it would NOT solve your problem - because the problem as defined by the error message is related to the ip address. The problem here is that the ftp server has asked the ftp client to open a data channel to a different ip address, which your client is refusing to do - this has nothing to do with the port itself.

Even if your client was willing to connect to a different ip address, the address provided is a private ip address which you could not use to make a connection to anyway - some ftp clients will include that information in the error message, referring to it as a "non-routeable" address - which is a poor choice of wording - private address ranges are routable.

as i already pointed out: it would work if the connecting wouldn't be behind a router, since there wouldn't be a private IP then.
directly connected to the modem, would only give him a WAN-IP.
so with the router it goes
private (NAS) --> WAN (Router1) --> WAN (Router2) --> private (connecting user)
and since the NAS only wants to work with one ip-address which is initially the one from Router2, it simply refuses the second - private or not doesn't bother - one coming from the pc behind the router.

The problems or to some the solution is the "smart" router which actually does more than it is configured to - and maybe even more than it is supposed to.
in my case it automatically opens up new ports, because it programmed to know port 21 and its ftp-features.
To my active mode problem i would suggest an error in NAT'ing correctly, since i should normally never be confronted with someone else's private IP address.

But whatever the argument is and no matter if we ever come to the same point, i definitely have to thank you, fordem, because i probably never had changed the port to 21 if you hadn't answered me.

Mikro

DSM-G600, DNS-3xx and NSA-220 Hack Forum

Announcement

#1 2008-12-13 00:38:50

pasv ports for ftp

#2 2008-12-13 00:50:51

Re: pasv ports for ftp

#3 2008-12-13 01:07:16

Re: pasv ports for ftp

#4 2008-12-13 18:27:09

Re: pasv ports for ftp

Mikromann wrote:

#5 2008-12-13 20:02:09

Re: pasv ports for ftp

#6 2008-12-14 01:00:19

Re: pasv ports for ftp

Mijzelf wrote:

fordem wrote:

fordem wrote:

Board footer