Enhancement #3165

FTP (vsftpd): add UDP port to web interface

Added by Giacomo Sanchietti over 4 years ago. Updated over 3 years ago.

Status:CLOSEDStart date:05/14/2015
Priority:NormalDue date:05/14/2015
Assignee:-% Done:

100%

Category:nethserver-vsftpd
Target version:v6.7
Resolution:WONTFIX NEEDINFO:No

Description

Add the ability to change the TCPPort directly from the web interface.

See pull request from stephdl: https://github.com/nethesis/nethserver-vsftpd/pull/2


Related issues

Copied from NethServer 6 - Enhancement #3164: OpenVPN: add UDP port to web interface CLOSED 05/13/2015 05/14/2015

Associated revisions

Revision 2983f214
Added by stephane de Labrusse over 4 years ago

Web UI: add TCP port. Refs #3165
- Add an input box to change TCPPort in nethgui
- Add an expandable field for advanced configuration
- Switch to the new mock standard

Revision 2aea0caf
Added by Giacomo Sanchietti about 4 years ago

Revert "Web UI: add TCP port. Refs #3165"

This reverts commit 2983f214a3036fc3718c0295877c0f09c1b33c36.

History

#1 Updated by Giacomo Sanchietti over 4 years ago

#2 Updated by Giacomo Sanchietti over 4 years ago

  • Category set to nethserver-vsftpd
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

#3 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-vsftpd-1.0.1-1.2.g6eac85e.ns6.noarch.rpm
Test case
  • Change the port from the web interface
  • Check the daemon listen to new port
  • Check the service is accessible through the firewall

#6 Updated by Vasco Castelo Branco over 4 years ago

  • Assignee set to Vasco Castelo Branco
  • Start date set to 05/14/2015

#7 Updated by Vasco Castelo Branco over 4 years ago

  • Due date set to 05/14/2015
  • Assignee deleted (Vasco Castelo Branco)
  • Resolution set to REJECTED

Change the port from the web interface OK
Check the daemon listen to new port OK
Check the service is accessible through the firewall OK

The tree tests was OK but is only possible connect to ftp at port 21
If the port is changed in the web interface the deamon is listing in the new port and is accessible trough the firewall but I always have the error: ECONNREFUSED - Connection refused by server

The FTP server only accept connections at port 21

#8 Updated by Giacomo Sanchietti over 4 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20
  • Resolution deleted (REJECTED)

The problem comes from the passive mode which uses ip_conntrack_ftp to dynamically open the firewall ports.

This is how it works (source: http://serverfault.com/questions/421161/how-to-configure-vsftpd-to-work-with-passive-mode):
  • Your client makes a connection to the vsftpd server on port 21.
  • The sever responds to the client telling it which port to connect to from the range specified above.
  • The client makes a data connection on the specified port and the session continues.

But ip_conntrack_ftp works only on port 21, unless an option is passed to kernel module when at load time.

To make the port change working, the package should also unload and reload the module with the correct option (options nf_conntrack_ftp ports=21,3000).
Another possible solution is to open all ports between pasv_min_port and pasv_max_port, but I don't really like it.

#9 Updated by stephane de Labrusse over 4 years ago

Well I suppose that my code is not in fault for this bug, maybe another bug should be opened concerning the change of port for vsftpd ????

#10 Updated by Giacomo Sanchietti over 4 years ago

stephane de Labrusse wrote:

Well I suppose that my code is not in fault for this bug, maybe another bug should be opened concerning the change of port for vsftpd ????

Surely is not a bug in you code, but any modification to the web interface should work seamlessly with the underlying system.
If we still want to change the ftp server port, I'd like to make the needed modification using this bug.

#11 Updated by stephane de Labrusse over 4 years ago

  • Assignee set to stephane de Labrusse

I would have a go on this bug

#12 Updated by Giacomo Sanchietti over 4 years ago

stephane de Labrusse wrote:

I would have a go on this bug

Go! :)

Maybe the simplest implementation is to reload the conntrack module with the changed port.

#13 Updated by stephane de Labrusse over 4 years ago

well I did many attempts yesterday night, sometime it doesn't come out of the box :( probably because I never look inside the firewal adjustment of neth, it was a good opportunity to learn some stuffs

The workable solution I found is to add (custom port is 6000)

[root@nethserver-dev ~]# cat /etc/modprobe.d/conntrack.conf
 options ip_conntrack_ftp ports=21,6000

and reload with
signal-event firewall-adjust

but what about with shorewall ????

side note : we should add in the documentation that the port should be superior than 1024 and inferior to 65xxx if you want to get custom port (maybe custom validator : X==21 || 1024 >= X <= 65xxx)

thoughts before i write the template :)

#14 Updated by Giacomo Sanchietti over 4 years ago

but what about with shorewall ????

It's quite complex, see http://shorewall.net/FTP.html
Otherwise we can open a list of ports, but then you must enforce these ones...maybe the all thing of custom port is not a really good idea?

#15 Updated by stephane de Labrusse over 4 years ago

well I must admit the firewall is not my area of expertise but I tried to install nethserver-firewall and I have no problem to reach the ftp server on the port 6000...of course I haven't done nothing more than in the post above.

Do it is normal ... if i add a nic as red can I have issues ?

#16 Updated by stephane de Labrusse over 4 years ago

I tried two configurations of tests

eth0->green
no problem at all you can connect to shorewall or to iptables without more settings on the port 6000

eth0->red
you can NOT connect to shorewall exepted if manually in Nethgui you create a firewall rule concerning the vsftpd service for the relevant port (6000 here)

In brief it seems to works for me, the manual rules creation seems normal for me....do i'm wrong, where I can fail ?

#17 Updated by stephane de Labrusse over 4 years ago

I must add that I forgot to verify the status access of vsftpd, it was set to private

after

config setprop vsftpd access public
signal-event firewall-adjust

Now I can connect to shorewall without custom rules

when I do

[root@nethserver-dev ~]# db fwrules show
I have no rules :)

therefore, of course I can be wrong but for me, we just need to add for iptables (6000 = custom port)

[root@nethserver-dev ~]# cat /etc/modprobe.d/conntrack.conf 
options ip_conntrack_ftp ports=21,6000

it seems that at least for vsftpd, it is workable with shorewall.

lsd@leonardcohen:~$ ftp -p 192.168.12.193 6000
Connected to 192.168.12.193 (192.168.12.193).
220 (vsFTPd 2.2.2)
Name (192.168.12.193:lsd): stephane
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,12,193,119,3).
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 May 19 07:00 plop
drwxr-xr-x    2 ftp      ftp          4096 May 19 07:01 plopi
226 Directory send OK.

Thoughts ?

#18 Updated by stephane de Labrusse over 4 years ago

Giacomo Sanchietti wrote:

Otherwise we can open a list of ports, but then you must enforce these ones...maybe the all thing of custom port is not a really good idea?

Well in My really humble opinion (I have no lessons to give, just lessons to learn) each service should be able to work on custom ports...if I want a nginx with apache, a really secured ftp,.....and i could find a lot of more examples

#19 Updated by Filippo Carletti over 4 years ago

227 Entering Passive Mode (192,168,12,193,119,3).

Could you please try active mode? It should work out of the box, but I'd prefer to have it verified.Thank you.

#20 Updated by stephane de Labrusse over 4 years ago

Filippo Carletti wrote:

227 Entering Passive Mode (192,168,12,193,119,3).

Could you please try active mode? It should work out of the box, but I'd prefer to have it verified.Thank you.

yep tested without problems : add 'pasv_enable=NO' to /etc/e-smith/templates/etc/vsftpd/vsftpd.conf/80listen

listen=YES 
listen_port={$vsftpd{TCPPort} || '21'}
pasv_min_port=30000
pasv_max_port=30999
+ pasv_enable=NO

after that you are in active mode (forced) but beware that in active mode your ftp client need to allow port > 1023 in its firewall, it is the difference with the passive mode, in this former mode, the server opens hight ports

If you fail to test it, please deactivate the firewall of the client side

see http://zaman4linux.blogspot.fr/2009/10/configuring-ftp-server-using-vsftpd.html for details and troubleshooting.

pull request done in Github

#21 Updated by Giacomo Sanchietti over 4 years ago

Current implementation works correctly with lokkit both in passive and active mode (which can be selected from the client side).

But, if Shorewall is installed (nethserver-firewall-base package), the kernel modules is not reloaded with the changed port.
You can check current loaded parameters with:

cat /sys/module/nf_conntrack_ftp/parameters/ports

We have plans to remove lokkit in the near future, so we should find a viable way for Shorewall implementation.

Current implementation is not optimal but we can merge the pull request and add a note to the manual:

  If Shorewall (nethserver-firewall-base package) is installed, 
  access the FTP server using active mode if configured port is not the default one (21).

#22 Updated by Filippo Carletti over 4 years ago

Since we're going to remove lokkit, I'd prefer to defer implementation: we will produce better and simpler code. Also, we're going to merge code we're going to remove soon.
What do you think? Active mode works on every port.

#23 Updated by stephane de Labrusse over 4 years ago

Filippo Carletti wrote:

Since we're going to remove lokkit, I'd prefer to defer implementation: we will produce better and simpler code. Also, we're going to merge code we're going to remove soon.
What do you think? Active mode works on every port.

Like giacomo noticed it, the module nf_conntrack_ftp is updated at each reboot, but I failed to update it on demand....I don't know if you can bring some guidances. As an evidence my code can not be added if it is not fully workable but that let's something broken under the hood because you can't change the default port, even by the command line. That's a bug.

???

#24 Updated by Giacomo Sanchietti about 4 years ago

  • Status changed from TRIAGED to NEW
  • Assignee deleted (stephane de Labrusse)
  • Target version deleted (v6.6)
  • % Done changed from 20 to 0

Since the implementation is not complete due to nf_conntrack_ftp configuration, the commit has been reverted.

There is no developer for this enhancement: the issue has been moved to NEW status and postponed.

#25 Updated by Giacomo Sanchietti over 3 years ago

  • Status changed from NEW to CLOSED
  • % Done changed from 0 to 100
  • Resolution set to WONTFIX

Leaving behind on NS 6.
Let's see for NS 7.

If needed open a bug on https://github.com/NethServer/dev/issues

#26 Updated by Giacomo Sanchietti over 3 years ago

  • Target version set to v6.7

Also available in: Atom PDF