FTP problems on Core 155 - ALG FTP remove responsible?

cgil · 31 March 2021 07:15

Hi,

Since upgrading to core 155 we have timeout problems when clients connecting to our FTP server.
The FTP server is connected to a public address (running on proftpd).

ftp-connectiosn from inside our office works (listing is immediately) but when establishing a connection from outside our office just trying a listing it takes forever and then the server spits out:

Data connection to xxx.xxx.xxx.xxx:57575 timed out.
Falling back to PORT instead of PASV mode.

I tried several things, like:

proftpd: Using passive mode
proftpd: disabled DNS lookup etc.
Added passive ports to ipfire’s iptables with command:
iptables -A INPUT -p tcp -m tcp --dport 49152:65534 -j ACCEPT
Port forwarding to internal ftp-server

No change…I even installed a second proftpd server with a different Linux distro but same timeout error.

So I wonder if it’s not the remove of ALG for FTP, SIP on the latest 155 which is causing the issue ?

Thank you for your clarification and a possible solution

raffe · 1 April 2021 14:46

I had many problems with 155, so I had to downgrade to 154.

bbitsch · 1 April 2021 14:49

Which problems did you have?

cgil · 1 April 2021 15:01

I consider also to downgrade to v154 since our main ftp-server has timeout errors and it’s impossible to transfer data.
Is there an easy way to downgrade ?

raffe · 1 April 2021 15:04

Problems because of not being able to choose to use FTP, H.323, IRC, PPTP, SIP, TFTP Application Layer Gateways. Not everything is up to me, if my suppliers/work use them I also need to use until they don’t.

bbitsch · 1 April 2021 15:28

Do you surely know, that you need ALGs?
Or doesn’t your IPFire config not really allow servers on your LAN ( GREEN and ORANGE! ) ?

cgil · 1 April 2021 15:29

Right! the option to choose ALG should be there with descriptive warnings…
I’m really annoyed about this…haven’t found a solution yet for the timeouts of our ftp-server!

raffe · 1 April 2021 15:37

Yes, I know

cgil · 1 April 2021 16:04

I downgraded to v154 and our FTP-server works again…no timeout etc.
Our main ftp-server is on Orange with Public IP-address…
I only enabled FTP on the “Application Layer Gateways”, all others are OFF.
Hopefully there will be a fix to let people choose or I really need to find another solution…

bbitsch · 1 April 2021 16:06

You must find another solution, because ALGs are insecure!

raffe · 1 April 2021 16:10

As I said, we live in a real world where not everything is up to us as individuals, if our suppliers/work use them we also need to use until they don’t.

manfred_knick · 1 April 2021 16:24

@bbitsch is right - as @ms - as @pmueller - …

PLEASE, @ all blaming IPFire:

disclose your exact type of ISP connection
esp. “DS Lite” being involved is a must to mention honestly.

cgil · 1 April 2021 16:29

OK thanks…will try to setup an SFTP-server ASAP.