[Firehol-support] Intermitent problems with ftp server
Costa Tsaousis
costa at tsaousis.gr
Sun Jun 26 09:43:02 BST 2005
Hi,
It has been reported that the FTP connection tracking module included in
some kernel versions is broken and does not match as RELATED FTP traffic
that is perfectly valid.
This is problem that can only be fixed by using a new kernel version.
Regards,
Costa
On Mon, June 20, 2005 13:53, Administrador DyR said:
> Hi all.
>
> I'm experiencing intermitent problems with our ftp servers, protected
> with FireHOL-generated firewalls.
>
> In multiple FTP clients, I get a similar log:
>
> *** CuteFTP 6.0 - build Mar 25 2004 ***
> STATUS:> Getting listing ""...
> STATUS:> Resolving host name ftpserver.example.com...
> STATUS:> Host name ftpserver.example.com resolved: ip = a.b.c.36.
> STATUS:> Connecting to FTP server ftpserver.example.com:21 (ip =
> a.b.c.36)...
> STATUS:> Socket connected. Waiting for welcome message...
> 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
> 220-You are user number 4 of 50 allowed.
> 220-Local time is now 12:12. Server port: 21.
> 220-This is a private system - No anonymous login
> 220 You will be disconnected after 15 minutes of inactivity.
> STATUS:> Connected. Authenticating...
> COMMAND:> USER my-user-name
> 331 User my-user-name OK. Password required
> COMMAND:> PASS *****
> 230-User my-user-name has group access to: mygroup
> 230 OK. Current restricted directory is /
> STATUS:> Login successful.
> COMMAND:> PWD
> 257 "/" is your current location
> STATUS:> Home directory: /
> COMMAND:> FEAT
> 211-Extensions supported:
> EPRT
> IDLE
> MDTM
> SIZE
> REST STREAM
> MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
> MLSD
> TVFS
> ESTP
> PASV
> EPSV
> SPSV
> ESTA
> AUTH TLS
> PBSZ
> PROT
> 211 End.
> STATUS:> This site supports features.
> STATUS:> This site supports SIZE.
> STATUS:> This site can resume broken downloads.
> COMMAND:> REST 0
> 350 Restarting at 0
> COMMAND:> PASV
> 227 Entering Passive Mode (a,b,c,36,174,14)
> COMMAND:> LIST
> STATUS:> Connecting FTP data socket a.b.c.36:44558...
> 150 Accepted data connection
> 226-Options: -l
> 226 125 matches total
> STATUS:> Directory listing completed.
> STATUS:> Transferring file "/index.txt"...
> COMMAND:> SIZE index.txt
> 213 77
> COMMAND:> MDTM index.txt
> 213 20041111105508
> COMMAND:> PASV
> 227 Entering Passive Mode (a,b,c,36,245,240)
> COMMAND:> RETR index.txt
> STATUS:> Connecting FTP data socket a.b.c.36:62960...
>
>
> And then, after 30 seconds, the connection times out.
>
> In the firewall log, I get the following lines related to the last
> connection attempt:
>
> Jun 20 12:12:43 ftpserver1 OUT-Internet36:IN= OUT=eth0 SRC=a.b.c.36
> DST=d.e.f.135 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=62960
> DPT=3172 WINDOW=5840 RES=0x00 ACK SYN URGP=0
> Jun 20 12:12:46 ftpserver1 IN-Internet36:IN=eth0 OUT=
> MAC=00:0a:e4:09:9f:f0:00:d0:79:7f:60:20:08:00 SRC=d.e.f.135 DST=a.b.c.36
> LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=39295 DF PROTO=TCP SPT=3172 DPT=62960
> WINDOW=16384 RES=0x00 SYN URGP=0
> Jun 20 12:12:52 ftpserver1 IN-Internet36:IN=eth0 OUT=
> MAC=00:0a:e4:09:9f:f0:00:d0:79:7f:60:20:08:00 SRC=d.e.f.135 DST=a.b.c.36
> LEN=48 TOS=0x00 PREC=0x00 TTL=118 ID=39314 DF PROTO=TCP SPT=3172 DPT=62960
> WINDOW=16384 RES=0x00 SYN URGP=0
>
> The Linux kernel in ftpserver1 is version 2.6.10, but I'm getting a
> similar behaviour in another ftp server running Linux 2.6.11.7.
>
> The servers are running Debian Sarge, with iptables 1.2.11.
>
> In the firehol.conf file, we have the following lines:
>
> interface eth0 Internet36 src not "${UNROUTABLE_IPS} a.b.c.0/24" dst
> a.b.c.36/32
> policy drop
> protection strong
> server ICMP accept
> server http accept
> server https accept
> server ftp accept
> client ident accept
>
>
>
> Thank you very much
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Firehol-support mailing list
> Firehol-support at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/firehol-support
>
More information about the Firehol-support
mailing list