This is an old revision of the document!


HOWTO Use the FTP Deamon in NAT Environment

The ftp deamon included in the DNS-323 with firmware before 1.04 is WU-FTPD version 2.6.2. Unfortunately, this version contains a major security issue and we can only hope that D-Link upgrades to a more recent version, i.e. a fully patched 2.6.2 would be the best.
More information about these security issues can be found at the WU-FTPD homepage

More information about the FTP deamon can me found in the manpages.

FTP Active vs Passive connections in 30 seconds

The ftp protocol uses several connections during a ftp-session. The first connection is a control channel typically served on port 21.

When a client issues a command the result of the command can be transferred to the client in two different ways, actively (PORT) and passively (PASV).

It is the client that decides which one to use, but the server can be configured to allow only one of them or both. WU-FTPD supports both active and passive.

If a client uses active (PORT) transfer the client will start to listen to a socket and send this information to the server when requesting something. The server will execute the command and connect to the client and transfer the result.

If a client uses passive (PASV) transfer the server will, for each command received, inform the client from which port it shall fetch the result. The client will then connect to this port and fetch the result - be that the contents of a directory or a transferred file. In the beginning of the ftp session, the client sends information to the server that it requires a passive connection.

When a ftp server is located behind a firewall/NAT, active (PORT) session is recommended to be used and when the client is behind a firewall/NAT passive (PASV) session is recommended. If both the client and the server is behind firewalls/NAT then you need to do some configuration in your ftp server or preferably in your smart firewall/router/NAT device.

Ports used for Passive Transfer

The ftp deamon in the DNS-323 is configured to use portrange 65501-65510 and is not made aware that it is behind a NAT. Neither is it possible to inform the ftp deamon that it's located in a NAT environment through the WEB GUI of the unit. At least not in firmware 1.01, 1.01b23, 1.02 or 1.03.

In order to make the ftp deamon available for the public there are some options. But; due to the security flaws in the current version (FW 1.01, 1.02) this cannot be recommended.

FTP from the internet

If the DNS is located on a private network connected to the internet through a router/firewall using NAT there are a few tricks that has to be done before someone can connect.

Use Your Router

First you should try to configure your router as many routers today have smart algorithms interfering with the FTP communication making sure that the FTP client connects to the correct IP and not to a local IP.

Use PORT

If the above doesn't work, try to force the client to use PORT (active) instead of PASV (passive) connections.

Modify /etc/ftpaccess

If none of the above works for you, typically when both client and server are behind firewalls/NAT, then you can always modify the configuration files. In order to do this you need telnet access to the unit, and you need to have a proper editor - unless you can handle vi.

NOTE: In firmware 1.04 there is a new ftp daemon, and the approach is different. There is a section for this further down.

Copy the file you intend to edit to /mnt/HD_a2, cp /etc/ftpaccess /mnt/HD_a2/. and edit the file from your PC with a proper editor. Don't use notepad or MS Word for this! Instead use the free Notepad++ or the commercial UltraEdit.

After the file has been copied, it will be located on the root of the first disc - which is found at \\NAS\HDD_1 or \\NAS\Volume_1 depending on firmware version.

Add the following lines to /etc/ftpaccess:

passive  address 192.168.0.200 192.168.0.0/16
passive  address 80.73.10.10 0.0.0.0/0

Where 192.168.0.200 is the local IP of the DNS-323 and 80.73.10.10 is the IP address your router has on the internet, i.e. external IP.

Please note that if you have a dynamic external IP then you need to modify this file every time you have a new exeternal IP.

Stop the FTP Server, through the WEB GUI, and copy the edited file back to /etc using cp /mnt/HD_a2/ftpaccess /etc/.. Start the ftp server again, through the WEB GUI, and voilĂ . If you reboot the DNS-323, your changes will be lost. However, if you modify the /mnt/HD_a2/.systemfile/.ftpaccess file (firmware v.1.03) your changes will persist after reboots.

Modify /mnt/HD_a2/.systemfile/.ftpaccess

NOTE: The /mnt/HD_a2/ path may depend on your disk configuration. Mine has 2 disks in RAID1/ext2 configuration.

Telnet into your DNS-323 and use vi to edit the file or issue the following command:

cp /mnt/HD_a2/.systemfile/.ftpaccess /mnt/HD_a2/ftpaccess

Using FTP, get the /Volume_1/ftpaccess file down to your computer for editing with your favorite editor (that supports Unix line-breaks). After editing, put the file back as /Volume_1/ftpaccess. Then telnet into your box and issue the following command:

mv /mnt/HD_a2/ftpaccess /mnt/HD_a2/.systemfile/.ftpaccess

If prompted, you do want to over-write the existing file.

If you screwed the file, then you can always fallback to the default file by deleting the /mnt/HD_a2/.systemfile/.ftpaccess file.

Setting external IP in pure-ftpd (firmware version 1.04)

If you have upgraded to version 1.04 and not reformatted your disks the config files mentioned above will still be present, exept for the /etc/ftpaccess. pure-ftpd has it's own config files, but I haven't been able to modify them successfully to let it use the ForcePassiveIP parameter. There is a workaround, though:

Stop the ftp server in the admin-interface. then edit your fun_plug file using vi or the copy - edit - copy back method mentioned above and add the following line:

pure-ftpd -P <your_public_ip_address> -p 65501:65510 -S ,21 -B -C 3 -I 2 -E -T 100:100
65501:65510 can be changed to whatever ports you want. The ports you set here must be forwarded in your router
-C 3 means max connections
-I 2 means two minutes idle time
-E means no anonymous users
-B means daemonize the process
-T 100:100 means bandwidth restriction for all users, 100kB up:down (use -t to only restrict anonymous users. You must then remove -E)
-S ,21 says which port it should bind to. 21 is default. Remember to use the comma in front of the port number.

You might want to add an extra parameter -A to chroot() everyone (except root), otherwise user access won't be restricted to their home directory.

To get more parameters, issue the command

pure-ftpd --help

or see the man pages for pure-ftpd on the net.

Now you are ready to restart your DNS-323. Make sure ftp in the admin interface is not running before you reboot. DO NOT start and stop the ftp server from the interface from now on. It will make your changes stop working until you reboot.

I think you should be able to use the admin interface to add users, but it seems to start/restart the pure-ftpd daemon, and then you'll have to stop the server from the admin interface and reboot the DNS-323

NOTE: There are some versions of the file pure-ftpd.conf around. Issue the command

find / -name pure-ftpd.conf

to find them all. I haven't been able to modify one with the correct parameter. It seems to be reset at reboot, and I might have the wrong parameter.


Navigation

Personal Tools