NethServer 6

Well I suppose that my code is not in fault for this bug, maybe another bug should be opened concerning the change of port for vsftpd ????

stephane de Labrusse wrote:

Well I suppose that my code is not in fault for this bug, maybe another bug should be opened concerning the change of port for vsftpd ????

Surely is not a bug in you code, but any modification to the web interface should work seamlessly with the underlying system.
If we still want to change the ftp server port, I'd like to make the needed modification using this bug.

stephane de Labrusse wrote:

I would have a go on this bug

Go! :)

Maybe the simplest implementation is to reload the conntrack module with the changed port.

well I did many attempts yesterday night, sometime it doesn't come out of the box :( probably because I never look inside the firewal adjustment of neth, it was a good opportunity to learn some stuffs

The workable solution I found is to add (custom port is 6000)

[root@nethserver-dev ~]# cat /etc/modprobe.d/conntrack.conf
 options ip_conntrack_ftp ports=21,6000

signal-event firewall-adjust

but what about with shorewall ????

side note : we should add in the documentation that the port should be superior than 1024 and inferior to 65xxx if you want to get custom port (maybe custom validator : X==21 || 1024 >= X <= 65xxx)

thoughts before i write the template :)

but what about with shorewall ????

It's quite complex, see http://shorewall.net/FTP.html
Otherwise we can open a list of ports, but then you must enforce these ones...maybe the all thing of custom port is not a really good idea?

well I must admit the firewall is not my area of expertise but I tried to install nethserver-firewall and I have no problem to reach the ftp server on the port 6000...of course I haven't done nothing more than in the post above.

Do it is normal ... if i add a nic as red can I have issues ?

I tried two configurations of tests

eth0->green
no problem at all you can connect to shorewall or to iptables without more settings on the port 6000

eth0->red
you can NOT connect to shorewall exepted if manually in Nethgui you create a firewall rule concerning the vsftpd service for the relevant port (6000 here)

In brief it seems to works for me, the manual rules creation seems normal for me....do i'm wrong, where I can fail ?

I must add that I forgot to verify the status access of vsftpd, it was set to private

after

config setprop vsftpd access public
signal-event firewall-adjust

Now I can connect to shorewall without custom rules

when I do

[root@nethserver-dev ~]# db fwrules show
I have no rules :)

therefore, of course I can be wrong but for me, we just need to add for iptables (6000 = custom port)

[root@nethserver-dev ~]# cat /etc/modprobe.d/conntrack.conf 
options ip_conntrack_ftp ports=21,6000

it seems that at least for vsftpd, it is workable with shorewall.

lsd@leonardcohen:~$ ftp -p 192.168.12.193 6000
Connected to 192.168.12.193 (192.168.12.193).
220 (vsFTPd 2.2.2)
Name (192.168.12.193:lsd): stephane
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,12,193,119,3).
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 May 19 07:00 plop
drwxr-xr-x    2 ftp      ftp          4096 May 19 07:01 plopi
226 Directory send OK.

Thoughts ?

Giacomo Sanchietti wrote:

Otherwise we can open a list of ports, but then you must enforce these ones...maybe the all thing of custom port is not a really good idea?

Well in My really humble opinion (I have no lessons to give, just lessons to learn) each service should be able to work on custom ports...if I want a nginx with apache, a really secured ftp,.....and i could find a lot of more examples

227 Entering Passive Mode (192,168,12,193,119,3).

Could you please try active mode? It should work out of the box, but I'd prefer to have it verified.Thank you.

Filippo Carletti wrote:

227 Entering Passive Mode (192,168,12,193,119,3).

Could you please try active mode? It should work out of the box, but I'd prefer to have it verified.Thank you.

yep tested without problems : add 'pasv_enable=NO' to /etc/e-smith/templates/etc/vsftpd/vsftpd.conf/80listen

listen=YES 
listen_port={$vsftpd{TCPPort} || '21'}
pasv_min_port=30000
pasv_max_port=30999
+ pasv_enable=NO

after that you are in active mode (forced) but beware that in active mode your ftp client need to allow port > 1023 in its firewall, it is the difference with the passive mode, in this former mode, the server opens hight ports

If you fail to test it, please deactivate the firewall of the client side

see http://zaman4linux.blogspot.fr/2009/10/configuring-ftp-server-using-vsftpd.html for details and troubleshooting.

pull request done in Github

Current implementation works correctly with lokkit both in passive and active mode (which can be selected from the client side).

But, if Shorewall is installed (nethserver-firewall-base package), the kernel modules is not reloaded with the changed port.
You can check current loaded parameters with:

cat /sys/module/nf_conntrack_ftp/parameters/ports

We have plans to remove lokkit in the near future, so we should find a viable way for Shorewall implementation.

Current implementation is not optimal but we can merge the pull request and add a note to the manual:

  If Shorewall (nethserver-firewall-base package) is installed, 
  access the FTP server using active mode if configured port is not the default one (21).

Since we're going to remove lokkit, I'd prefer to defer implementation: we will produce better and simpler code. Also, we're going to merge code we're going to remove soon.
What do you think? Active mode works on every port.

Filippo Carletti wrote:

Since we're going to remove lokkit, I'd prefer to defer implementation: we will produce better and simpler code. Also, we're going to merge code we're going to remove soon.
What do you think? Active mode works on every port.

Like giacomo noticed it, the module nf_conntrack_ftp is updated at each reboot, but I failed to update it on demand....I don't know if you can bring some guidances. As an evidence my code can not be added if it is not fully workable but that let's something broken under the hood because you can't change the default port, even by the command line. That's a bug.

???