| View previous topic :: View next topic |
| Author |
Message |
Jamesbch
Apprentice
Joined: 30 Sep 2007
Posts: 185
|
 Posted: Mon Mar 10, 2008 7:15 pm Post subject: Pureftp questions |
 |
|
Hello,
1/ I installed Pureftp on my gentoo a moment ago and I searched lots of time how to set a bigger limit of users. The limitation is 1 user and I tried -C and -c options but it won't work. Here is my /etc/conf.d/pureftpd file:
| Quote: | Server ~ # cat /etc/conf.d/pure-ftpd
# Config file for /etc/init.d/pure-ftpd
##Comment variables out to disable its features, or change the values in it... ##
## This variable must be uncommented in order for the server to start ##
IS_CONFIGURED="yes"
#...
SERVER="-S 21"
## Number of simultaneous connections in total, and per IP ##
MAX_CONN="-c 50"
MAX_CONN_IP="-C 50"
## Start daemonized in background ##
DAEMON="-B"
## Don't allow uploads if the partition is more full then this var ##
DISK_FULL="-k 98%"
## If your FTP server is behind a NAT box, uncomment this ##
#USE_NAT="-N"
## Authentication mechanisms (others are 'pam', ...) ##
## Further infos can be found in the README file.
AUTH="-l mysql:/etc/conf.d/pure-ftpd-mysql"
TIMEOUT="-I 30'"
#LOG="-f <facility>"
# CHARCONV="--fscharset <charset>"
# UPLOADSCRIPT="/path/to/uploadscript"
## Misc. Others ##
MISC_OTHER="50 -A -E -x -j -R -Z -p 49658:49659"
#.... |
So I use special configuration file of gentoo for pureftp. All is working except this users limitation. Any idea how to fix it ?
(version : PureFTP 1.0.21-r1)
2/ My second question is what ports pureftp uses in active mode (so the client can *connect in passive mode). I opened 20 and 21 ports in iptables but it stucks at the listing of directory (Filezilla, gftp etc...) but with the ftp command line it works perfectly ! This problem is on Linux and Windows too.
Thank you in advance and escuse me for my bad english.
Last edited by Jamesbch on Sun Mar 16, 2008 9:29 pm; edited 1 time in total |
|
| Back to top |
|
 |
KayZee
Apprentice
Joined: 15 Oct 2003
Posts: 202
Location: Arlington, VA
|
| Posted: Sun Mar 16, 2008 2:56 pm Post subject: |
|
|
For your second question, try adding -b to MISC_OTHER
| Quote: | '-b': Ignore parts of RFC standards in order to deal with some totally
broken FTP clients, or broken firewalls/NAT boxes. |
I had to do this in order to get Internet Explorer to list any files. |
|
| Back to top |
|
|
Jamesbch
Apprentice
Joined: 30 Sep 2007
Posts: 185
|
| Posted: Sun Mar 16, 2008 9:34 pm Post subject: |
|
|
Thank you KayZee, it works like a charm ! 2/ Solved (So all ftp clients are broken except the original `ftp` client ?)
Any idea about 1/ ? |
|
| Back to top |
|
|
KayZee
Apprentice
Joined: 15 Oct 2003
Posts: 202
Location: Arlington, VA
|
| Posted: Mon Mar 17, 2008 2:10 pm Post subject: |
|
|
I have not had problems with connection limits. The only suggestions I can offer for troubleshooting are
1.) Remove from MISC_OTHER. Did you add that for troubleshooting the file display issue? It may be causing some unexpected behavior.
2.) Any firewalls limiting connections? |
|
| Back to top |
|
|
Jamesbch
Apprentice
Joined: 30 Sep 2007
Posts: 185
|
| Posted: Mon Mar 17, 2008 11:52 pm Post subject: |
|
|
1/ You are right ! The -p option made limiting the number of users ! It's working now and I thank you very much for your help.
2/ But now don't work after ftp clients have done a LIST :
| Quote: | Command : PASV
Answer : 227 Entering Passive Mode (xxx,xxx,x,x,49,108)
Command : LIST |
My iptable rules accept what I decided (ports: 20,21,22) and reject everything else. So when I disable iptable the FTP works fine.
Here is what I found with tcptrack :
| Quote: | # Before LIST (xxx.xxx.x.x = server ; xxx.xxx.x.y = client)
Client Server State Idle A Speed
xxx.xxx.x.y:2395 xxx.xxx.x.x:22 ESTABLISHED 0s 11 KB/s
xxx.xxx.x.y:2517 xxx.xxx.x.x:21 ESTABLISHED 5s 0 B/s
# After LIST (iptable disabled)
Client Server State Idle A Speed
xxx.xxx.x.y:2395 xxx.xxx.x.x:22 ESTABLISHED 0s * 11 KB/s
xxx.xxx.x.y:2520 xxx.xxx.x.x:61934 CLOSED 1s 379 B/s
xxx.xxx.x.y:2517 xxx.xxx.x.x:21 ESTABLISHED 1s 365 B/s
# Second LIST (iptable disabled)
Client Server State Idle A Speed
xxx.xxx.x.y:2395 xxx.xxx.x.x:22 ESTABLISHED 0s * 11 KB/s
xxx.xxx.x.y:2521 xxx.xxx.x.x:25308 CLOSED 1s 4 KB/s
xxx.xxx.x.y:2517 xxx.xxx.x.x:21 ESTABLISHED 1s 367 B/s
|
So it seems that a connection is open on a random port on the client and the server. (So iptable block it because it's a random port)
What can I do about that ?
Anyway that you very much KayZee. |
|
| Back to top |
|
|
KayZee
Apprentice
Joined: 15 Oct 2003
Posts: 202
Location: Arlington, VA
|
| Posted: Tue Mar 18, 2008 1:52 pm Post subject: |
|
|
Port 22 is usually for ssh. Not sure why an ftp client would be opening that port.
What does your MISC_OTHER look like now? I note that in an earlier posts you had this
| Code: |
## Misc. Others ##
MISC_OTHER="50 -A -E -x -j -R -Z -p 49658:49659" |
The "50" makes no sense to pureftpd on this line. I am guessing you have removed -p by now and added -b.
You may want to look at the documentation for pureftpd where a lot of options are described.
http://download.pureftpd.org/pub/pure-ftpd/doc/README |
|
| Back to top |
|
|
Jamesbch
Apprentice
Joined: 30 Sep 2007
Posts: 185
|
| Posted: Tue Mar 18, 2008 5:15 pm Post subject: |
|
|
Here is mine now:
MISC_OTHER="-A -E -x -j -R -Z -b"
I think that 50 was the number of clients with -c but I removed it now. The -b is here and -p removed.
The port 22 is my ssh as you said. The 21 port is open and works but a random port is opened every time the client ask for LIST so the firewall block it.
What can I do ? I think the probleme is the ports not the configuration of pureftp, isn't it ? |
|
| Back to top |
|
|
KayZee
Apprentice
Joined: 15 Oct 2003
Posts: 202
Location: Arlington, VA
|
| Posted: Tue Mar 18, 2008 5:26 pm Post subject: |
|
|
| It does seem like a firewall issue now and not pureftpd. You will have to look through your firewall rules. |
|
| Back to top |
|
|
Jamesbch
Apprentice
Joined: 30 Sep 2007
Posts: 185
|
| Posted: Wed Mar 19, 2008 4:56 pm Post subject: |
|
|
Here is my configuration. I block what is not accepted here.
| Quote: | # fichier a faire manger par iptables et iptables save ensuite
# Generated by iptables-save v1.3.5 on Fri Aug 17 05:04:14 2007
*filter
:INPUT ACCEPT [1440477:246610776]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [785488:82184803]
# Completed on Fri Aug 17 05:04:14 2007
# accept all from localhost
-A INPUT -s 127.0.0.1 -j ACCEPT
# accept all previously established connections
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# ssh
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
# ftp / webserver related
-A INPUT -p tcp --dport 20 -j ACCEPT
-A INPUT -p tcp --dport 21 -j ACCEPT
# SSH
-A OUTPUT -p tcp --dport 22 -j ACCEPT
# ftp passive (transfert) removed ...
#-A OUTPUT -p tcp --dport 49658:49659 -j ACCEPT
#-A INPUT -p tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp --sport 80 -j DROP
# BITO: up to 5 Bit-torrent connections
-A INPUT -p tcp --dport 50199:50200 -j ACCEPT
-A INPUT -p udp --dport 50199:50200 -j ACCEPT
# apache2
-A INPUT -p tcp --dport 6680 -j ACCEPT
# port DNS 53
-A INPUT -p udp --dport 53 -j ACCEPT
# reject everything else
#-A INPUT -j REJECT --reject-with icmp-port-unreachable
#-A OUTPUT -j ACCEPT
-A INPUT -j DROP
COMMIT
|
Any idea ? What must I add to this file ? |
|
| Back to top |
|
|
|
Networking & Security
