FTP server problems

This might be a Comcast problem not a Linux problem. I've enabled a vsftp
server on a CentOS5 box. It works fine on my LAN but it doesn't work over
the Internet. I can log in to the FTP server so the port forwarding on my
Netgear router is working but I can only execute one command after I've
connected. For example if I do an ls it works the first time, if I do an
ls the second time it hangs.

Does anyone have any theories about whats happening? Is Comcast blocking
FTP?

On Sat, 31 May 2008 13:46:47 -0500, General Schvantzkopf rearranged some
electrons to say:

> This might be a Comcast problem not a Linux problem. I've enabled a
> vsftp server on a CentOS5 box. It works fine on my LAN but it doesn't
> work over the Internet. I can log in to the FTP server so the port
> forwarding on my Netgear router is working but I can only execute one
> command after I've connected. For example if I do an ls it works the
> first time, if I do an ls the second time it hangs.
>
> Does anyone have any theories about whats happening? Is Comcast blocking
> FTP?

They may very well be. You can listen on a non-standard port, though.
Have you set up port forwarding for the passive mode ports as well?

On Sat, 31 May 2008 20:26:38 +0000, david wrote:

> On Sat, 31 May 2008 13:46:47 -0500, General Schvantzkopf rearranged some
> electrons to say:
>
>> This might be a Comcast problem not a Linux problem. I've enabled a
>> vsftp server on a CentOS5 box. It works fine on my LAN but it doesn't
>> work over the Internet. I can log in to the FTP server so the port
>> forwarding on my Netgear router is working but I can only execute one
>> command after I've connected. For example if I do an ls it works the
>> first time, if I do an ls the second time it hangs.
>>
>> Does anyone have any theories about whats happening? Is Comcast
>> blocking FTP?
>
> They may very well be. You can listen on a non-standard port, though.
> Have you set up port forwarding for the passive mode ports as well?

I didn't have the passive mode ports set up however I've just added port
20 and that didn't help. When I contacted Comcast they denied blocking
FTP servers, however it's possible that the support people don't know if
they do or not. They were deliberately breaking bittorrent until they got
caught, maybe they are breaking FTP.

Are there any other ports other that 20 and 21 which should be forwarded
from the router?

On Sat, 31 May 2008 15:38:07 -0500, General Schvantzkopf wrote:

> Are there any other ports other that 20 and 21 which should be forwarded
> from the router?

Yes, in passive mode most ftp servers use hi-numbered ports. vsftpd's
docs are somewhat elusive regarding _which_ ports. Try using tcpdump on
your LAN to get an idea of what range it is using.

Hello,

Dave Uhring a écrit :
> On Sat, 31 May 2008 15:38:07 -0500, General Schvantzkopf wrote:
>
>>Are there any other ports other that 20 and 21 which should be forwarded
>>from the router?

Port 20 should not need to be forwarded because it is the source port of
outgoing data connections from the server in active mode. It is not used
at all in passive mode.

> Yes, in passive mode most ftp servers use hi-numbered ports. vsftpd's
> docs are somewhat elusive regarding _which_ ports.

The passive port range can be specified with options pasv_max_port and
pasv_min ports.

David : using a non standard control port is likely to break the FTP
connection tracking in the router, unless you can specify in the
router's config that this port is used for FTP control connections.

General Schvantzkopf a écrit :
> This might be a Comcast problem not a Linux problem. I've enabled a vsftp
> server on a CentOS5 box. It works fine on my LAN but it doesn't work over
> the Internet. I can log in to the FTP server so the port forwarding on my
> Netgear router is working but I can only execute one command after I've
> connected. For example if I do an ls it works the first time, if I do an
> ls the second time it hangs.

One command or one transfer ? ls counts as a transfer, as it uses a data
connection.

Have you tried in passive and active mode ?

On Sun, 01 Jun 2008 00:56:47 +0200, Pascal Hambourg wrote:
> Dave Uhring a écrit :

>> Yes, in passive mode most ftp servers use hi-numbered ports. vsftpd's
>> docs are somewhat elusive regarding _which_ ports.
>
> The passive port range can be specified with options pasv_max_port and
> pasv_min ports.

OK, I found it in Debian's doc directory, generally an unlikely place to
find anything useful in Debian.

> David : using a non standard control port is likely to break the FTP
> connection tracking in the router, unless you can specify in the
> router's config that this port is used for FTP control connections.

It should be possible to specify a range of ports to be opened and
redirected to the ftp server. It most certainly is when using OpenBSD PF.

General Schvantzkopf wrote:
> This might be a Comcast problem not a Linux problem. I've enabled a vsftp
> server on a CentOS5 box. It works fine on my LAN but it doesn't work over
> the Internet. I can log in to the FTP server so the port forwarding on my
> Netgear router is working but I can only execute one command after I've
> connected. For example if I do an ls it works the first time, if I do an
> ls the second time it hangs.
>
> Does anyone have any theories about whats happening? Is Comcast blocking
> FTP?

It sounds to me like your router has problems keeping track of inbound
ftp connections, although I wouldn't underestimate the possibility that
something in Comcast's infrastructure is what's having problems keeping
track of your ftp server, too. (Never attribute to malice those things
which can be explained by incompetence.)

Figuring out where the fault lies is probably going to take some
creative diagnostics. If the transfer/command is passive, is there a
way you can see packets between your modem and your router? (Probably
not if your router IS your modem.) Use something like tcpdump (ideally
on both client and server) to see how/if the data connection is
getting/failing set up. Read your router docs again to see if you've
forgotten something. Try active-only for the ftp server.

In no particular order, those are the things I'd recommend to start an
analysis.

On Sat, 31 May 2008 20:57:25 -0500, Allen Kistler wrote:

> General Schvantzkopf wrote:
>> This might be a Comcast problem not a Linux problem. I've enabled a
>> vsftp server on a CentOS5 box. It works fine on my LAN but it doesn't
>> work over the Internet. I can log in to the FTP server so the port
>> forwarding on my Netgear router is working but I can only execute one
>> command after I've connected. For example if I do an ls it works the
>> first time, if I do an ls the second time it hangs.
>>
>> Does anyone have any theories about whats happening? Is Comcast
>> blocking FTP?
>
> It sounds to me like your router has problems keeping track of inbound
> ftp connections, although I wouldn't underestimate the possibility that
> something in Comcast's infrastructure is what's having problems keeping
> track of your ftp server, too. (Never attribute to malice those things
> which can be explained by incompetence.)
>
> Figuring out where the fault lies is probably going to take some
> creative diagnostics. If the transfer/command is passive, is there a
> way you can see packets between your modem and your router? (Probably
> not if your router IS your modem.) Use something like tcpdump (ideally
> on both client and server) to see how/if the data connection is
> getting/failing set up. Read your router docs again to see if you've
> forgotten something. Try active-only for the ftp server.
>
> In no particular order, those are the things I'd recommend to start an
> analysis.

I'm pretty sure it's my router. I mentioned the wrong brand in my
original post, I said it was a Netgear, that was my old router, this one
is the Dlink DIR-655 which has known problems with FTP. I tried defining
the passive ports with the vsftp parameters pasv_max_port and
pasv_min_port. The router has two ways of doing port forwarding, Virtual
Server and explicit port forwarding. With explicit forwarding I can't
connect at all. With Virtual Server I was able to connect once and do a
couple of ls commands, when I tried a second time it disconnected me and
said Passive mode refused.

I also tried the following things with the Router,

Disable SPI
set NAT ENDPOINT FILTERING endpoint independent

Nothing seems to work, it's probably time to shitcan this router. I've
always hated it anyway, it requires a reboot after you change the
settings which is Windows like behavior. My previous two routers, a
Linksys 802.11b router and a Netgear 802.11g router, could be
reconfigured without reboots. I bought this one because it had gigabit
ports on it and the rest of my network is gigabit. It's upload and
download speeds are faster than the old Netgear was but the router
functionality is much worse.

Dave Uhring a écrit :
> On Sun, 01 Jun 2008 00:56:47 +0200, Pascal Hambourg wrote:
>
>>Dave Uhring a écrit :
>
>>>Yes, in passive mode most ftp servers use hi-numbered ports. vsftpd's
>>>docs are somewhat elusive regarding _which_ ports.
>>
>>The passive port range can be specified with options pasv_max_port and
>>pasv_min_port.
>
> OK, I found it in Debian's doc directory, generally an unlikely place to
> find anything useful in Debian.

Huh ? I found it in the manpage for vsftpd.conf.

>>David : using a non standard control port is likely to break the FTP
>>connection tracking in the router, unless you can specify in the
>>router's config that this port is used for FTP control connections.
>
> It should be possible to specify a range of ports to be opened and
> redirected to the ftp server.

This may not be enough. The FTP connection tracking and NAT not only
dynamically forwards passive ports but also mangles the passive address
advertised by the server in the PASV reply over the control connection.
So unless the FTP client ignores the advertized passive address in PASV
replies or uses extended passive mode (EPSV, which does not advertise a
passive address), it is also necessary that the server advertizes the
public IP address instead of its own private address (see the
'pasv_address' and 'pasv_addr_resolve' options). This can be a real pain
when vsftpd runs in standalone mode and you have a non fixed public IP
address, because vsftpd resolves the advertized passive address only at
startup. Besides, advertizing the public address is likely to break
passive mode from FTP clients on the LAN. Finally, running an FTP server
on a non standard port may block connections from clients which are
behind a very restrictive proxy/firewall.