This is an old revision of the document!


HOWTO Use the FTP Deamon in NAT Environment

The ftp deamon included in the DNS-323 is WU-FTPD version 2.6.2. Unfortunately, this version contains a major security issue and we can only hope that D-Link upgrades to a more recent version, i.e. a fully patched 2.6.2 would be the best.
More information about these security issues can be found at the WU-FTPD homepage

More information about the FTP deamon can me found in the manpages.

FTP Active vs Passive connections in 30 seconds

The ftp protocol uses several connections during a ftp-session. The first connection is a control channel typically served on port 21.

When a client issues a command the result of the command can be transferred to the client in two different ways, actively (PORT) and passively (PASV).

It is the client that decides which one to use, but the server can be configured to allow only one of them or both. WU-FTPD supports both active and passive.

If a client uses active (PORT) transfer the client will start to listen to a socket and send this information to the server when requesting something. The server will execute the command and connect to the client and transfer the result.

If a client uses passive (PASV) transfer the server will, for each command received, inform the client from which port it shall fetch the result. The client will then connect to this port and fetch the result - be that the contents of a directory or a transferred file. In the beginning of the ftp session, the client sends information to the server that it requires a passive connection.

When a ftp server is located behind a firewall/NAT, active (PORT) session is recommended to be used and when the client is behind a firewall/NAT passive (PASV) session is recommended. If both the client and the server is behind firewalls/NAT then you need to do some configuration in your ftp server or preferably in your smart firewall/router/NAT device.

Ports used for Passive Transfer

The ftp deamon in the DNS-323 is configured to use portrange 65501-65510 and is not made aware that it is behind a NAT. Neither is it possible to inform the ftp deamon that it's located in a NAT environment through the WEB GUI of the unit. At least not in firmware 1.01, 1.01b23, 1.02 or 1.03.

In order to make the ftp deamon available for the public there are some options. But; due to the security flaws in the current version (FW 1.01, 1.02) this cannot be recommended.

FTP from the internet

If the DNS is located on a private network connected to the internet through a router/firewall using NAT there are a few tricks that has to be done before someone can connect.

Use Your Router

First you should try to configure your router as many routers today have smart algorithms interfering with the FTP communication making sure that the FTP client connects to the correct IP and not to a local IP.

Use PORT

If the above doesn't work, try to force the client to use PORT (active) instead of PASV (passive) connections.

Modify /etc/ftpaccess

If none of the above works for you, typically when both client and server are behind firewalls/NAT, then you can always modify the configuration files. In order to do this you need telnet access to the unit, and you need to have a proper editor - unless you can handle vi.

Copy the file you intend to edit to /mnt/HD_a2, cp /etc/ftpaccess /mnt/HD_a2/. and edit the file from your PC with a proper editor. Don't use notepad or MS Word for this! Instead use the free Notepad++ or the commercial UltraEdit.

After the file has been copied, it will be located on the root of the first disc - which is found at \\NAS\HDD_1 or \\NAS\Volume_1 depending on firmware version.

Add the following lines to /etc/ftpaccess:

passive  address 192.168.0.200 192.168.0.0/16
passive  address 80.73.10.10 0.0.0.0/0

Where 192.168.0.200 is the local IP of the DNS-323 and 80.73.10.10 is the IP address your router has on the internet, i.e. external IP.

Please note that if you have a dynamic external IP then you need to modify this file every time you have a new exeternal IP.

Stop the FTP Server, through the WEB GUI, and copy the edited file back to /etc using cp /mnt/HD_a2/ftpaccess /etc/.. Start the ftp server again, through the WEB GUI, and voilĂ . If you reboot the DNS-323, your changes will be lost. However, if you modify the /mnt/HD_a2/.systemfile/.ftpaccess file (firmware v.1.03) your changes will persist after reboots.

Modify /mnt/HD_a2/.systemfile/.ftpaccess

NOTE: The /mnt/HD_a2/ path may depend on your disk configuration. Mine has 2 disks in RAID1/ext2 configuration.

Telnet into your DNS-323 and use vi to edit the file or issue the following command:

cp /mnt/HD_a2/.systemfile/.ftpaccess /mnt/HD_a2/ftpaccess

Using FTP, get the /Volume_1/ftpaccess file down to your computer for editing with your favorite editor (that supports Unix line-breaks). After editing, put the file back as /Volume_1/ftpaccess. Then telnet into your box and issue the following command:

mv /mnt/HD_a2/ftpaccess /mnt/HD_a2/.systemfile/.ftpaccess

If prompted, you do want to over-write the existing file.

If you screwed the file, then you can always fallback to the default file by deleting the /mnt/HD_a2/.systemfile/.ftpaccess file.


Navigation

Personal Tools