[Firehol-support] Intermitent problems with ftp server

Mon Jun 20 11:53:12 BST 2005

Hi all.

I'm experiencing intermitent problems with our ftp servers, protected
with FireHOL-generated firewalls.

In multiple FTP clients, I get a similar log:

*** CuteFTP 6.0 - build Mar 25 2004 ***
STATUS:> Getting listing ""...
STATUS:> Resolving host name ftpserver.example.com...
STATUS:> Host name ftpserver.example.com resolved: ip = a.b.c.36.
STATUS:> Connecting to FTP server ftpserver.example.com:21 (ip = a.b.c.36)...
STATUS:> Socket connected. Waiting for welcome message...
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 4 of 50 allowed.
220-Local time is now 12:12. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
STATUS:> Connected. Authenticating...
COMMAND:> USER my-user-name
331 User my-user-name OK. Password required
COMMAND:> PASS *****
230-User my-user-name has group access to: mygroup
230 OK. Current restricted directory is /
STATUS:> Login successful.
COMMAND:> PWD
257 "/" is your current location
STATUS:> Home directory: /
COMMAND:> FEAT
211-Extensions supported:
EPRT
IDLE
MDTM
SIZE
REST STREAM
MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
MLSD
TVFS
ESTP
PASV
EPSV
SPSV
ESTA
AUTH TLS
PBSZ
PROT
211 End.
STATUS:> This site supports features.
STATUS:> This site supports SIZE.
STATUS:> This site can resume broken downloads.
COMMAND:> REST 0
350 Restarting at 0
COMMAND:> PASV
227 Entering Passive Mode (a,b,c,36,174,14)
COMMAND:> LIST
STATUS:> Connecting FTP data socket a.b.c.36:44558...
150 Accepted data connection
226-Options: -l 
226 125 matches total
STATUS:> Directory listing completed.
STATUS:> Transferring file "/index.txt"...
COMMAND:> SIZE index.txt
213 77
COMMAND:> MDTM index.txt
213 20041111105508
COMMAND:> PASV
227 Entering Passive Mode (a,b,c,36,245,240)
COMMAND:> RETR index.txt
STATUS:> Connecting FTP data socket a.b.c.36:62960...

And then, after 30 seconds, the connection times out.

In the firewall log, I get the following lines related to the last
connection attempt:

Jun 20 12:12:43 ftpserver1 OUT-Internet36:IN= OUT=eth0 SRC=a.b.c.36 DST=d.e.f.135 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=62960 DPT=3172 WINDOW=5840 RES=0x00 ACK SYN URGP=0
Jun 20 12:12:46 ftpserver1 IN-Internet36:IN=eth0 OUT= MAC=00:0a:e4:09:9f:f0:00:d0:79:7f:60:20:08:00 SRC=d.e.f.135 DST=a.b.c.36 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=39295 DF PROTO=TCP SPT=3172 DPT=62960 WINDOW=16384 RES=0x00 SYN URGP=0
Jun 20 12:12:52 ftpserver1 IN-Internet36:IN=eth0 OUT= MAC=00:0a:e4:09:9f:f0:00:d0:79:7f:60:20:08:00 SRC=d.e.f.135 DST=a.b.c.36 LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=39314 DF PROTO=TCP SPT=3172 DPT=62960 WINDOW=16384 RES=0x00 SYN URGP=0

The Linux kernel in ftpserver1 is version 2.6.10, but I'm getting a
similar behaviour in another ftp server running Linux 2.6.11.7.

The servers are running Debian Sarge, with iptables 1.2.11.

In the firehol.conf file, we have the following lines:

interface eth0 Internet36 src not "${UNROUTABLE_IPS} a.b.c.0/24" dst a.b.c.36/32
        policy drop
        protection strong
        server ICMP accept
        server http accept
        server https accept
        server ftp accept
        client ident accept

Thank you very much