FTP problems on Core 155 - ALG FTP remove responsible?

Hi,

Since upgrading to core 155 we have timeout problems when clients connecting to our FTP server.
The FTP server is connected to a public address (running on proftpd).

ftp-connectiosn from inside our office works (listing is immediately) but when establishing a connection from outside our office just trying a listing it takes forever and then the server spits out:

Data connection to xxx.xxx.xxx.xxx:57575 timed out.
Falling back to PORT instead of PASV mode.

I tried several things, like:

  • proftpd: Using passive mode
  • proftpd: disabled DNS lookup etc.
  • Added passive ports to ipfireā€™s iptables with command:
    iptables -A INPUT -p tcp -m tcp --dport 49152:65534 -j ACCEPT
  • Port forwarding to internal ftp-server

No changeā€¦I even installed a second proftpd server with a different Linux distro but same timeout error.

So I wonder if itā€™s not the remove of ALG for FTP, SIP on the latest 155 which is causing the issue ?

Thank you for your clarification and a possible solution

I had many problems with 155, so I had to downgrade to 154.

Which problems did you have?

I consider also to downgrade to v154 since our main ftp-server has timeout errors and itā€™s impossible to transfer data.
Is there an easy way to downgrade ?

Problems because of not being able to choose to use FTP, H.323, IRC, PPTP, SIP, TFTP Application Layer Gateways. Not everything is up to me, if my suppliers/work use them I also need to use until they donā€™t.

Do you surely know, that you need ALGs?
Or doesnā€™t your IPFire config not really allow servers on your LAN ( GREEN and ORANGE! ) ?

Right! the option to choose ALG should be there with descriptive warningsā€¦
Iā€™m really annoyed about thisā€¦havenā€™t found a solution yet for the timeouts of our ftp-server!

Yes, I know

I downgraded to v154 and our FTP-server works againā€¦no timeout etc.
Our main ftp-server is on Orange with Public IP-addressā€¦
I only enabled FTP on the ā€œApplication Layer Gatewaysā€, all others are OFF.
Hopefully there will be a fix to let people choose or I really need to find another solutionā€¦

You must find another solution, because ALGs are insecure!

3 Likes

As I said, we live in a real world where not everything is up to us as individuals, if our suppliers/work use them we also need to use until they donā€™t.

@bbitsch is right - as @ms - as @pmueller - ā€¦

PLEASE, @ all blaming IPFire:

  • disclose your exact type of ISP connection
  • esp. ā€œDS Liteā€ being involved is a must to mention honestly.
2 Likes

OK thanksā€¦will try to setup an SFTP-server ASAP.

1 Like

after Update from 154 to 155 i canĀ“t use ftp (passive) to a ftp-server from our vendor anymore. I have only a few firewall rules to go outside (80,443, 21) and the rest is forbidden.

In the firewall logs i can see (rule-log enabled):

09:24:20 FORWARDFW green0 TCP 192.168.0.5 63688 801.461.x.x 21(FTP)
09:24:21 DROP_FORWARD green0 TCP 192.168.0.5 63689 801.461.x.x 21314
09:24:22 DROP_FORWARD green0 TCP 192.168.0.5 63689 801.461.x.x 21314

When i enter a new firewall rule with destport ā€œanyā€ FTP works and the log contain only one line

09:26:33 FORWARDFW green0 TCP 192.168.0.5 63718 801.461.x.x 21(FTP)

I canĀ“t believe that this might an error concerning to ALG, or?

No, you need to allow connections to the high ports of this FTP server as well.

1 Like

With Core154 and befor everything worked as should - no modification in the firewall was neccessary.

Now you say i have to ā€œallow connections to the high ports of this FTP server as well.ā€.

So how might this dynamicly possible only in conjunction with outgoing ftp?

From wikipedia

Communication and data transfer

Illustration of starting a passive connection using port 21

FTP may run in active or passive mode, which determines how the data connection is established.[7] (This sense of ā€œmodeā€ is different from that of the MODE command in the FTP protocol, and corresponds to the PORT/PASV/EPSV/etc commands instead.) In both cases, the client creates a TCP control connection from a random, usually an unprivileged, port N to the FTP server command port 21.

  • In active mode, the client starts listening for incoming data connections from the server on port M. It sends the FTP command PORT M to inform the server on which port it is listening. The server then initiates a data channel to the client from its port 20, the FTP server data port.
  • In situations where the client is behind a firewall and unable to accept incoming TCP connections, passive mode may be used. In this mode, the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server,[7] which the client then uses to open a data connection from an arbitrary client port to the server IP address and server port number received.[8]

So, this data connection port (21314 in your example ) must be open also. With ALG this was handled by IPFire, with ā€˜destport anyā€™ rule this special port is allowed.

2 Likes

I guess from that also if they know the IP address of the FTP server they could also create a rule to allow port 20 in from that IP to use in active mode right? Ah still needs to send out from Port M, so I think no actually lol

until now it was for me a security feature to block also outgoing ports which are not neccessary. Now - if I need ftp i have to open any (unknown range) high port(s)?

No, not every port, just port 21314, as indicated by @bbitsch