Getting FTP to work through a NAT router - or not
I have just changed my ADSL router from the Speedtouch 716WL that I have been using for a year or two back to a Zyxel 660H that I had used for a while. The reason is that I no longer need the VOIP ports on the Speedtouch and its firewall is difficult to configure, Web configuration is limited and CLI configuration is arcane! The Zyxel 660H has all the facilities I need now and the Web configuration of the firewall is comprehensive enough for my needs. After a bit of head scratching I have got just about everything working as I want, all the machines on the LAN can see the outside world 'transparently' and some bits of the outside world can see into the LAN as follows:- Any IP address can get to my apache server on port 80 A (very) limited number of IP addresses can connect to my ssh server on port 22 One outside address can get to the router's web configuration which I have moved from the default port 80 to 50080. Very useful for fixing things from work! However I can't get FTP into my NAS to work at all, all I get is a stony silence. I appreciate that there are several oddities about getting FTP to work and it *may* be that it just isn't possible with this router but it would be nice if I could get it to work. What I have done so far is:- Ports 20 and 21 are forwarded from "any outside IP" to the NAS which has the FTP server on it. The firewall allows ports 20 and 21 through. I have disabled the FTP access to the router completely (i.e. as I understand it I have turned the router's FTP server off, it's for Firmware updates etc.) No joy at all. Looking at the router's logs all I see when I try and connect is an incoming packet from the outside system which gets to the NAS and that's it. However I'm not really sure that the logging is showing me everything. By default the FTP clients are using passive mode so, as I see it, everything should be started from the client end. Any ideas anyone as to what I might try next? Even someone saying "it isn't possible" would save me some time! -- Chris Green
On Thu, 10 Apr 2008 14:07:15 +0100 Chris G <cl@isbd.net> allegedly wrote:
However I can't get FTP into my NAS to work at all, all I get is a stony silence. I appreciate that there are several oddities about getting FTP to work and it *may* be that it just isn't possible with this router but it would be nice if I could get it to work.
What I have done so far is:-
Ports 20 and 21 are forwarded from "any outside IP" to the NAS which has the FTP server on it.
The firewall allows ports 20 and 21 through.
I have disabled the FTP access to the router completely (i.e. as I understand it I have turned the router's FTP server off, it's for Firmware updates etc.)
Chris FTP is not a good protocol to use. You have to open up way too many ports for it to work reliably and port forwarding becomes a nightmare. Why not just use sftp and forward only port 22? Much more secure too. Mick --------------------------------------------------------------------- This is a Microsoft free zone. Please do not send me Microsoft Word Documents. For some reasons, see: www.gnu.org/philosophy/no-word-attachments.html www.goldmark.org/netrants/no-word/attach.html ---------------------------------------------------------------------
On Thu, Apr 10, 2008 at 04:02:12PM +0100, mick wrote:
On Thu, 10 Apr 2008 14:07:15 +0100 Chris G <cl@isbd.net> allegedly wrote:
However I can't get FTP into my NAS to work at all, all I get is a stony silence. I appreciate that there are several oddities about getting FTP to work and it *may* be that it just isn't possible with this router but it would be nice if I could get it to work.
What I have done so far is:-
Ports 20 and 21 are forwarded from "any outside IP" to the NAS which has the FTP server on it.
The firewall allows ports 20 and 21 through.
I have disabled the FTP access to the router completely (i.e. as I understand it I have turned the router's FTP server off, it's for Firmware updates etc.)
Chris
FTP is not a good protocol to use. You have to open up way too many ports for it to work reliably and port forwarding becomes a nightmare. Why not just use sftp and forward only port 22? Much more secure too.
That's what I suspect is the problem (needing too many ports and the router not being 'FTP aware'). However sftp isn't much use as it's for non-techie windows users who occasionally want to save stuff (e.g. from cameras) while on their travels. The chances of finding sftp on an internet cafe computer are not all that great I fear. I suspect that providing ftp access on to my hosting providers system may be the answer, I have 5Gb of disk allowance there. I can then copy across to the home machine at intervals or even run a nightly rsync. Any other solutions for use from internet cafe or similar situations? Are there any HTTP based tools which can save files from a remote client? -- Chris Green
On Thu, Apr 10, 2008 at 04:20:56PM +0100, Tim Green wrote:
On Thu, Apr 10, 2008 at 4:09 PM, Chris G <cl@isbd.net> wrote:
Any other solutions for use from internet cafe or similar situations?
Are there any HTTP based tools which can save files from a remote client?
Google Mail? ;-)
Er, yes, but it won't end up on my system! :-) -- Chris Green
On Thu, Apr 10, 2008 at 04:42:23PM +0100, Phil Ashby wrote:
On Thu, 2008-04-10 at 16:09 +0100, Chris G wrote:
Any other solutions for use from internet cafe or similar situations?
Are there any HTTP based tools which can save files from a remote client?
Browser-based file upload no good? It works for YouTube....
Yes, perfect, but I want the files to end up on my server so to do what you're suggesting I'll need to run the YouTube software. :-) What web application (server side) can I run to provide simple file upload facilities? -- Chris Green
On Thu, 2008-04-10 at 17:07 +0100, Chris G wrote:
On Thu, Apr 10, 2008 at 04:42:23PM +0100, Phil Ashby wrote:
Browser-based file upload no good? It works for YouTube....
Yes, perfect, but I want the files to end up on my server so to do what you're suggesting I'll need to run the YouTube software. :-)
What web application (server side) can I run to provide simple file upload facilities?
Ah sorry Chris - I should have explained that better, browser based file upload has been part of HTML/HTTP for many years, there are many tutorials out there on how to handle the server end: The RFC from 1995: http://www.ietf.org/rfc/rfc1867.txt A couple of Perl tutorials: http://www.perlfect.com/articles/upload.shtml http://www.sitepoint.com/article/uploading-files-cgi-perl You can easily find examples in PHP, Java, ASP... HTH, Phil.
On 10 Apr 16:02, mick wrote:
FTP is not a good protocol to use. You have to open up way too many ports for it to work reliably and port forwarding becomes a nightmare. Why not just use sftp and forward only port 22? Much more secure too.
This is why one has a decent firewall instead of a pile o' crap - nice firewalls can be configured to only open the relevant ports to the FTP session, linux firewalls have been able to do this for years (it's a bit of a god send). -- Brett Parker
On Fri, Apr 11, 2008 at 08:14:41AM +0100, Brett Parker wrote:
On 10 Apr 16:02, mick wrote:
FTP is not a good protocol to use. You have to open up way too many ports for it to work reliably and port forwarding becomes a nightmare. Why not just use sftp and forward only port 22? Much more secure too.
This is why one has a decent firewall instead of a pile o' crap - nice firewalls can be configured to only open the relevant ports to the FTP session, linux firewalls have been able to do this for years (it's a bit of a god send).
How does one find out what "the relevant ports" are? My firewall can certainly open specific ports in specific directions. -- Chris Green
On Fri, 2008-04-11 at 09:26 +0100, Chris G wrote:
How does one find out what "the relevant ports" are? My firewall can certainly open specific ports in specific directions.
Well this is where it gets messy, If you run in active mode then inbound the server only needs the control port open (21) however the clients firewall needs to be able to either use protocol inspection to determine what inbound data stream port to open in the range 49152-65535, or you are going to have to open all of them. Passive mode tries to "solve" this problem, but all it means is that now you have the same issue but at the server end. As with passive mode the server opens a data port in the range 49152-65535 and then tells the client what it is. So basically it is a choice, at one end you need a firewall/NAT that understands FTP and can do protocol inspection to manage the open ports..or you open 49152-65535 exclusively and even then you need to educate your clients to use the appropriate mode (and just to help things different clients default in different ways). Essentially it is a broken protocol as it was designed at a time when NAT didn't exist and firewalls were not commonplace. I really really would look at browser based upload.
On Fri, Apr 11, 2008 at 10:06:49AM +0100, Wayne Stallwood wrote:
On Fri, 2008-04-11 at 09:26 +0100, Chris G wrote:
How does one find out what "the relevant ports" are? My firewall can certainly open specific ports in specific directions.
Well this is where it gets messy, If you run in active mode then inbound the server only needs the control port open (21) however the clients firewall needs to be able to either use protocol inspection to determine what inbound data stream port to open in the range 49152-65535, or you are going to have to open all of them.
Passive mode tries to "solve" this problem, but all it means is that now you have the same issue but at the server end. As with passive mode the server opens a data port in the range 49152-65535 and then tells the client what it is.
vsftpd (and presumably other FTP servers too) allows you to limit the ports used for passive. pasv_min_port / pasv_max_port are the relevant config options; you could set them such that you have a dozen or so ports available and then only have to open those up from your firewall to the FTP server from the outside world. J. -- ] http://www.earth.li/~noodles/ [] If I hold really still maybe all [ ] PGP/GPG Key @ the.earth.li [] of this will just go away. [ ] via keyserver, web or email. [] [ ] RSA: 4DC4E7FD / DSA: 5B430367 [] [
On Fri, Apr 11, 2008 at 10:23:47AM +0100, Jonathan McDowell wrote:
On Fri, Apr 11, 2008 at 10:06:49AM +0100, Wayne Stallwood wrote:
On Fri, 2008-04-11 at 09:26 +0100, Chris G wrote:
How does one find out what "the relevant ports" are? My firewall can certainly open specific ports in specific directions.
Well this is where it gets messy, If you run in active mode then inbound the server only needs the control port open (21) however the clients firewall needs to be able to either use protocol inspection to determine what inbound data stream port to open in the range 49152-65535, or you are going to have to open all of them.
Passive mode tries to "solve" this problem, but all it means is that now you have the same issue but at the server end. As with passive mode the server opens a data port in the range 49152-65535 and then tells the client what it is.
vsftpd (and presumably other FTP servers too) allows you to limit the ports used for passive. pasv_min_port / pasv_max_port are the relevant config options; you could set them such that you have a dozen or so ports available and then only have to open those up from your firewall to the FTP server from the outside world.
Unfortunately I don't have control over the FTP server either as its built in to the NAS. It responds:- Connected to freecom (192.168.1.20). 220 NET Disk FTP Server ready. -- Chris Green
On Fri, 11 Apr 2008 11:22:44 +0100 Chris G <cl@isbd.net> allegedly wrote:
Unfortunately I don't have control over the FTP server either as its built in to the NAS. It responds:-
Connected to freecom (192.168.1.20). 220 NET Disk FTP Server ready.
Chris What NAS are you using? If it is a Linksys NSLU2 (and it could be from that response) then you can reflash it to run Debian and then you can do what you like with it...... Mick --------------------------------------------------------------------- This is a Microsoft free zone. Please do not send me Microsoft Word Documents. For some reasons, see: www.gnu.org/philosophy/no-word-attachments.html www.goldmark.org/netrants/no-word/attach.html ---------------------------------------------------------------------
On Fri, Apr 11, 2008 at 11:48:11AM +0100, mbm wrote:
On Fri, 11 Apr 2008 11:22:44 +0100 Chris G <cl@isbd.net> allegedly wrote:
Unfortunately I don't have control over the FTP server either as its built in to the NAS. It responds:-
Connected to freecom (192.168.1.20). 220 NET Disk FTP Server ready.
Chris
What NAS are you using? If it is a Linksys NSLU2 (and it could be from that response) then you can reflash it to run Debian and then you can do what you like with it......
It's a Freecom NAS (hence the name). -- Chris Green
On Fri, 11 Apr 2008 14:47:48 +0100 Chris G <cl@isbd.net> allegedly wrote:
It's a Freecom NAS (hence the name).
Doh! Didn't read the first line, only the second. Mick --------------------------------------------------------------------- This is a Microsoft free zone. Please do not send me Microsoft Word Documents. For some reasons, see: www.gnu.org/philosophy/no-word-attachments.html www.goldmark.org/netrants/no-word/attach.html ---------------------------------------------------------------------
I forgot to add that at least in the example of wu-ftp you can specify the data ports I think. Also when you say your firewall can only open certain ports what do you mean ? Usually there is a list of default services which can be added to with "custom" services. which you can then use in your rules. The ZyXEL router I used to have here behaved in this way from memory.
On Fri, Apr 11, 2008 at 10:06:49AM +0100, Wayne Stallwood wrote:
On Fri, 2008-04-11 at 09:26 +0100, Chris G wrote:
How does one find out what "the relevant ports" are? My firewall can certainly open specific ports in specific directions.
Well this is where it gets messy, If you run in active mode then inbound the server only needs the control port open (21) however the clients firewall needs to be able to either use protocol inspection to determine what inbound data stream port to open in the range 49152-65535, or you are going to have to open all of them.
Remember I have no control at all over "the clients firewall" so that basically means that active mode is impossible (and that's why all recent command line ftp clients default to passive mode nowadays).
Passive mode tries to "solve" this problem, but all it means is that now you have the same issue but at the server end. As with passive mode the server opens a data port in the range 49152-65535 and then tells the client what it is.
So basically it is a choice, at one end you need a firewall/NAT that understands FTP and can do protocol inspection to manage the open ports..or you open 49152-65535 exclusively and even then you need to educate your clients to use the appropriate mode (and just to help things different clients default in different ways).
Essentially it is a broken protocol as it was designed at a time when NAT didn't exist and firewalls were not commonplace. I really really would look at browser based upload.
I've installed Gallery2 which is a bit overkill for just "browser based upload" but may well be what my 'users' want anyway. -- Chris Green
participants (8)
-
Brett Parker -
Chris G -
Jonathan McDowell -
mbm -
mick -
Phil Ashby -
Tim Green -
Wayne Stallwood