DSM-G600, DNS-3xx and NSA-220 Hack Forum

krimb1 · 2010-07-06 07:22:22

Thanks to this wonderful writeup (http://dns323.kood.org/howto:vsftpd) I've been able to setup vsftpd on my DNS-323. It works great!

The only hiccup I have is I cannot connect in passive (PASV) mode, on either FTP or FTPS. Happens on both anonymous and local logins. So I'm instead connecting with passive mode off (using PORT).

So I wonder, has anyone got PASV mode working with vsftpd? Some must be, because that's what's stated in the wiki page... (I'm connecting to the DNS on the local network, so I don't think port forwarding would be an issue.)

Thanks!

P.S. FWIW I had a tough time finding a Mac FTP client that actually does explicit FTPS with TSL/SSL (aka FTPeS) like FileZilla does on PC. At last I found that both Transmit 4 and latest Forklift 2 beta do it; I was using Transmit 3.6.9 until then. There are probably others out there that do too.

Last edited by krimb1 (2010-07-06 07:24:27)

uyuni · 2010-07-06 21:07:50

If you connect from *outside* your LAN then you will probably find that PASV mode is indeed working - provided that you have port forwarding properly setup and the pasv_address is set correctly in the conf file.

If you have set the pasv_address to your public/external IP address then you cannot connect in PASV mode from your local LAN because your ftp client will receive the *external* IP address in the response to the PASV command. You will be able to use the PORT command locally.

If you want to test PASV mode locally (dont know how much this will test 'cause you won't test port forwarding this way) then try and put the IP address of your NAS into the pasv_address and then connect. That should work.

Do anybody know of some remote FTP test web service? This is quite a common test problem - I've had it myself on occasion.

krimb1 · 2010-07-07 01:15:14

Ah, genius!

Thanks for getting me on the right track -- I had no idea about the details specifying the PASV address until you explained it. PASV mode is working great now locally; haven't been able to test it yet remotely.

Though, from reading the vsftpd manual (http://vsftpd.beasts.org/vsftpd_conf.html#lbAG), it seems like if I omit the pasv_address option entirely, then it will default to whatever the server was "called as" during the connection; that way, I can have passive mode both locally and remotely without choosing one or the other.

pasv_address
Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled, in which case you can provide a hostname which will be DNS resolved for you at startup.
Default: (none - the address is taken from the incoming connected socket)

Also, I Googled-up this remote FTP testing service (http://www.g6ftpserver.com/en/ftptest), but it seems like it's somewhat specific to *their* FTP package -- namely the part where it issues the '> CLNT' command. The connection shortly exits after that, regardless of the pasv_address settings, so I'll just have to try it myself when I'm at work tomorrow.

Thanks for all the help — this forum is great!!!

Last edited by krimb1 (2010-07-07 02:05:03)

uyuni · 2010-07-07 23:52:36

I think the option to take the IP address from the connecting socket is a new feature added since I installed vsftpd 1-2 years back. Sounds very cool. I think I'll try it myself.

Note that many (big) companies have pretty strict firewalling so good luck with your from-work experiments.

krimb1 · 2010-07-08 02:44:16

Nice! Let us know how it goes! The version I installed was the latest one available on the fonz repository, vsftpd-2.0.7-2.tgz, and it worked great.

And ya, what you say about the firewalling is definitely true.. I might have to play around with the ports PASV and PORT use somewhat in the config file I think..

FWIW, I realized something regarding the nomenclature of the port config options that I found tricky and may be of use to some people. The vsftpd manpage states:

connect_from_port_20
This controls whether PORT style data connections use port 20 (ftp-data) on the server machine. For security reasons, some clients may insist that this is the case. Conversely, disabling this option enables vsftpd to run with slightly less privilege.
Default: NO

ftp_data_port
The port from which PORT style connections originate (as long as the poorly named connect_from_port_20 is enabled).
Default: 20

Based on them referring to connect_from_port_20 as "poorly named," what I've realized is the flag "connect_from_port_20" might be better termed as "privileged_PORT_enable" or something — what it really does is enable PORT to be run as root, i.e. a privileged user. The *default* port for PORT is 20, that's all; it's perfectly valid to set the flags e.g. to

connect_from_port_20=YES
default_port=100

and have it run PORT commands from 100 as a *privileged* user. Another helpful explanation of the vsftpd flag is here.

The reason this may be useful is according to this explanation running ports as root might help with some clients that expect root for security reasons. This might be an option for me if say port 20 isn't blocked at work, but the other ports that I used for PASV are.

I'll cross my fingers.

Last edited by krimb1 (2010-07-08 02:48:14)

uyuni · 2010-07-13 19:15:42

Hmm, it didn't work as sweet as I had hoped with pasv_addr_resolve=YES. It does exactly what is stated in the man page: a DNS lookup will be made of the hostname you give in the pasv_address. So vsftpd does not look at the IP address of the connecting socket.

DSM-G600, DNS-3xx and NSA-220 Hack Forum

Announcement

#1 2010-07-06 07:22:22

vsftpd: passive mode problems

#2 2010-07-06 21:07:50

Re: vsftpd: passive mode problems

#3 2010-07-07 01:15:14

Re: vsftpd: passive mode problems

#4 2010-07-07 23:52:36

Re: vsftpd: passive mode problems

#5 2010-07-08 02:44:16

Re: vsftpd: passive mode problems

#6 2010-07-13 19:15:42

Re: vsftpd: passive mode problems

Board footer