FTP partially does not work

Hello all,

I don’t know if I chose the right category, but since I see the problem with the firewall rules, I chose that. But network would also fit, possibly.

I have a problem with accessing external FTP servers, for example when accessing an FTP server from Strato. I have recently updated ipfire. Previously I had the version Core 137. Now the version Core 157 is installed.

Now to my problem: I can log in to Strato with the main user from the account on the FTP server. But if I try another user (same destination, different user, different password), unfortunately it doesn’t work. However, if I tried a connection attempt with my phone so Outside the network behind the ipfire, then it works. Likewise, connecting with the credentials from a different location works as well.

I have also tried different ways. Windows explorer, WinSCP, FileZilla, cmd, debian console. It is the same everywhere. The main user works. All other users unfortunately not. Outside of my ipfire network, all paths and all users work. Since I have been using different machines and operating systems, there is a good chance it is due to updating ipfire. Even though I doubt that myself. By the way, I have also rebooted ipfire, as well as the systems I use, all once.

I installed all the updates last Friday. Until then the access always worked without problems. On the following Monday I noticed the problem for the first time.

Can you tell me what else I can/must check?

Oh yes, I have allowed the ports 20,21,22, 115, 989 and 990 outgoing. IPfire hangs directly behind the Hitron router (router functions are disabled, as well as WLAN and DHCP, I have several fixed IP’s) on a Vodafone connection (formerly Unitymedia, before that Kabel-BW).

Can someone please help me?

Thanks a lot!

Regards,
AL

Hi,

well, that IPFire machine of yours was certainly lagging behind. Glad to see it is up to date by now. :slight_smile:

Regarding FTP traffic, it might be worth mentioning we had to remove all ALGs from IPFire in Core Update 155, including that one for FTP, due to this security vulnerability:

This is strange to see. I would have expected FTP to either work always, or never, especially when talking to the same FTP server.

What do you mean exactly by “doesn’t work”? Do you observe any error messages? What’s in IPFire’s firewall logs at or around the time you try to establish the FTP connection?

I do not know any specifications of Strato’s FTP service. Are they doing passive FTP for some users (see also this thread)? Do they offer FTP encrypted in transit?

Thanks, and best regards,
Peter Müller

1 Like

Hello Peter,

thank you very much for a super fast answer!

I would have expected that too, but that was not the case…

I received the message “Authentication failed”.
Where exactly do I need to look in the logs?

I’m a whole step further: I made another phone call to Strato. The main user also has SSH access. Therefore it is possible to use sftp for this user. Then port 22 is sufficient.

All other users use ftp. There you need then port 21 to initiate the connection. Because of the passive ftp the server will send a list of ports on which the communication should take place. In my case these were 6 ports, but not as I would expect in the range 50.000+ but all 6 ports were requested in the range below 1024.

I will do a devil and open these ports for all.

What other option do I have? What is the best way to configure it in the firewall rule?

Thanks, and best regards,
AL

I think, you must use the ftp-option “passive mode” (PASV).
I had the same issue in some dev-projects after the update 155 and PASV was the magic.

I wouldn’t know where to set this on ipfire. In the FTP client I use (FileZilla, WinSCP) I configured it, but unfortunately it does not bring success.