FTP problems on Core 155 - ALG FTP remove responsible?


Since upgrading to core 155 we have timeout problems when clients connecting to our FTP server.
The FTP server is connected to a public address (running on proftpd).

ftp-connectiosn from inside our office works (listing is immediately) but when establishing a connection from outside our office just trying a listing it takes forever and then the server spits out:

Data connection to xxx.xxx.xxx.xxx:57575 timed out.
Falling back to PORT instead of PASV mode.

I tried several things, like:

  • proftpd: Using passive mode
  • proftpd: disabled DNS lookup etc.
  • Added passive ports to ipfire’s iptables with command:
    iptables -A INPUT -p tcp -m tcp --dport 49152:65534 -j ACCEPT
  • Port forwarding to internal ftp-server

No change…I even installed a second proftpd server with a different Linux distro but same timeout error.

So I wonder if it’s not the remove of ALG for FTP, SIP on the latest 155 which is causing the issue ?

Thank you for your clarification and a possible solution

I had many problems with 155, so I had to downgrade to 154.

Which problems did you have?

I consider also to downgrade to v154 since our main ftp-server has timeout errors and it’s impossible to transfer data.
Is there an easy way to downgrade ?

Problems because of not being able to choose to use FTP, H.323, IRC, PPTP, SIP, TFTP Application Layer Gateways. Not everything is up to me, if my suppliers/work use them I also need to use until they don’t.

Do you surely know, that you need ALGs?
Or doesn’t your IPFire config not really allow servers on your LAN ( GREEN and ORANGE! ) ?

Right! the option to choose ALG should be there with descriptive warnings…
I’m really annoyed about this…haven’t found a solution yet for the timeouts of our ftp-server!

Yes, I know

I downgraded to v154 and our FTP-server works again…no timeout etc.
Our main ftp-server is on Orange with Public IP-address…
I only enabled FTP on the “Application Layer Gateways”, all others are OFF.
Hopefully there will be a fix to let people choose or I really need to find another solution…

You must find another solution, because ALGs are insecure!


As I said, we live in a real world where not everything is up to us as individuals, if our suppliers/work use them we also need to use until they don’t.

@bbitsch is right - as @ms - as @pmueller - …

PLEASE, @ all blaming IPFire:

  • disclose your exact type of ISP connection
  • esp. “DS Lite” being involved is a must to mention honestly.

OK thanks…will try to setup an SFTP-server ASAP.

1 Like