Enhancement #3165
FTP (vsftpd): add UDP port to web interface
Status: | CLOSED | Start date: | 05/14/2015 | |
---|---|---|---|---|
Priority: | Normal | Due date: | 05/14/2015 | |
Assignee: | - | % Done: | 100% | |
Category: | nethserver-vsftpd | |||
Target version: | v6.7 | |||
Resolution: | WONTFIX | NEEDINFO: | No |
Description
Add the ability to change the TCPPort directly from the web interface.
See pull request from stephdl: https://github.com/nethesis/nethserver-vsftpd/pull/2
Related issues
Associated revisions
Web UI: add TCP port. Refs #3165
- Add an input box to change TCPPort in nethgui
- Add an expandable field for advanced configuration
- Switch to the new mock standard
Revert "Web UI: add TCP port. Refs #3165"
This reverts commit 2983f214a3036fc3718c0295877c0f09c1b33c36.
History
#1 Updated by Giacomo Sanchietti about 6 years ago
- Copied from Enhancement #3164: OpenVPN: add UDP port to web interface added
#2 Updated by Giacomo Sanchietti about 6 years ago
- Category set to nethserver-vsftpd
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
#3 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#5 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-vsftpd-1.0.1-1.2.g6eac85e.ns6.noarch.rpm
- Change the port from the web interface
- Check the daemon listen to new port
- Check the service is accessible through the firewall
#6 Updated by Vasco Castelo Branco about 6 years ago
- Assignee set to Vasco Castelo Branco
- Start date set to 05/14/2015
#7 Updated by Vasco Castelo Branco about 6 years ago
- Due date set to 05/14/2015
- Assignee deleted (
Vasco Castelo Branco) - Resolution set to REJECTED
Change the port from the web interface OK
Check the daemon listen to new port OK
Check the service is accessible through the firewall OK
The tree tests was OK but is only possible connect to ftp at port 21
If the port is changed in the web interface the deamon is listing in the new port and is accessible trough the firewall but I always have the error: ECONNREFUSED - Connection refused by server
The FTP server only accept connections at port 21
#8 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
- Resolution deleted (
REJECTED)
The problem comes from the passive mode which uses ip_conntrack_ftp to dynamically open the firewall ports.
This is how it works (source: http://serverfault.com/questions/421161/how-to-configure-vsftpd-to-work-with-passive-mode):- Your client makes a connection to the vsftpd server on port 21.
- The sever responds to the client telling it which port to connect to from the range specified above.
- The client makes a data connection on the specified port and the session continues.
But ip_conntrack_ftp works only on port 21, unless an option is passed to kernel module when at load time.
To make the port change working, the package should also unload and reload the module with the correct option (options nf_conntrack_ftp ports=21,3000
).
Another possible solution is to open all ports between pasv_min_port
and pasv_max_port
, but I don't really like it.
#9 Updated by stephane de Labrusse about 6 years ago
Well I suppose that my code is not in fault for this bug, maybe another bug should be opened concerning the change of port for vsftpd ????
#10 Updated by Giacomo Sanchietti about 6 years ago
stephane de Labrusse wrote:
Well I suppose that my code is not in fault for this bug, maybe another bug should be opened concerning the change of port for vsftpd ????
Surely is not a bug in you code, but any modification to the web interface should work seamlessly with the underlying system.
If we still want to change the ftp server port, I'd like to make the needed modification using this bug.
#11 Updated by stephane de Labrusse about 6 years ago
- Assignee set to stephane de Labrusse
I would have a go on this bug
#12 Updated by Giacomo Sanchietti about 6 years ago
stephane de Labrusse wrote:
I would have a go on this bug
Go! :)
Maybe the simplest implementation is to reload the conntrack module with the changed port.
#13 Updated by stephane de Labrusse about 6 years ago
well I did many attempts yesterday night, sometime it doesn't come out of the box :( probably because I never look inside the firewal adjustment of neth, it was a good opportunity to learn some stuffs
The workable solution I found is to add (custom port is 6000)
[root@nethserver-dev ~]# cat /etc/modprobe.d/conntrack.conf options ip_conntrack_ftp ports=21,6000
and reload with
signal-event firewall-adjust
but what about with shorewall ????
side note : we should add in the documentation that the port should be superior than 1024 and inferior to 65xxx if you want to get custom port (maybe custom validator : X==21 || 1024 >= X <= 65xxx)
thoughts before i write the template :)
#14 Updated by Giacomo Sanchietti about 6 years ago
but what about with shorewall ????
It's quite complex, see http://shorewall.net/FTP.html
Otherwise we can open a list of ports, but then you must enforce these ones...maybe the all thing of custom port is not a really good idea?
#15 Updated by stephane de Labrusse about 6 years ago
well I must admit the firewall is not my area of expertise but I tried to install nethserver-firewall and I have no problem to reach the ftp server on the port 6000...of course I haven't done nothing more than in the post above.
Do it is normal ... if i add a nic as red can I have issues ?
#16 Updated by stephane de Labrusse about 6 years ago
I tried two configurations of tests
eth0->green
no problem at all you can connect to shorewall or to iptables without more settings on the port 6000
eth0->red
you can NOT connect to shorewall exepted if manually in Nethgui you create a firewall rule concerning the vsftpd service for the relevant port (6000 here)
In brief it seems to works for me, the manual rules creation seems normal for me....do i'm wrong, where I can fail ?
#17 Updated by stephane de Labrusse about 6 years ago
I must add that I forgot to verify the status access of vsftpd, it was set to private
after
config setprop vsftpd access public signal-event firewall-adjust
Now I can connect to shorewall without custom rules
when I do
[root@nethserver-dev ~]# db fwrules show
I have no rules :)
therefore, of course I can be wrong but for me, we just need to add for iptables (6000 = custom port)
[root@nethserver-dev ~]# cat /etc/modprobe.d/conntrack.conf options ip_conntrack_ftp ports=21,6000
it seems that at least for vsftpd, it is workable with shorewall.
lsd@leonardcohen:~$ ftp -p 192.168.12.193 6000 Connected to 192.168.12.193 (192.168.12.193). 220 (vsFTPd 2.2.2) Name (192.168.12.193:lsd): stephane 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,168,12,193,119,3). 150 Here comes the directory listing. drwxr-xr-x 2 ftp ftp 4096 May 19 07:00 plop drwxr-xr-x 2 ftp ftp 4096 May 19 07:01 plopi 226 Directory send OK.
Thoughts ?
#18 Updated by stephane de Labrusse about 6 years ago
Giacomo Sanchietti wrote:
Otherwise we can open a list of ports, but then you must enforce these ones...maybe the all thing of custom port is not a really good idea?
Well in My really humble opinion (I have no lessons to give, just lessons to learn) each service should be able to work on custom ports...if I want a nginx with apache, a really secured ftp,.....and i could find a lot of more examples
#19 Updated by Filippo Carletti about 6 years ago
227 Entering Passive Mode (192,168,12,193,119,3).
Could you please try active mode? It should work out of the box, but I'd prefer to have it verified.Thank you.
#20 Updated by stephane de Labrusse about 6 years ago
Filippo Carletti wrote:
227 Entering Passive Mode (192,168,12,193,119,3).
Could you please try active mode? It should work out of the box, but I'd prefer to have it verified.Thank you.
yep tested without problems : add 'pasv_enable=NO' to /etc/e-smith/templates/etc/vsftpd/vsftpd.conf/80listen
listen=YES listen_port={$vsftpd{TCPPort} || '21'} pasv_min_port=30000 pasv_max_port=30999 + pasv_enable=NO
after that you are in active mode (forced) but beware that in active mode your ftp client need to allow port > 1023 in its firewall, it is the difference with the passive mode, in this former mode, the server opens hight ports
If you fail to test it, please deactivate the firewall of the client side
see http://zaman4linux.blogspot.fr/2009/10/configuring-ftp-server-using-vsftpd.html for details and troubleshooting.
pull request done in Github
#21 Updated by Giacomo Sanchietti about 6 years ago
Current implementation works correctly with lokkit both in passive and active mode (which can be selected from the client side).
But, if Shorewall is installed (nethserver-firewall-base package), the kernel modules is not reloaded with the changed port.
You can check current loaded parameters with:
cat /sys/module/nf_conntrack_ftp/parameters/ports
We have plans to remove lokkit in the near future, so we should find a viable way for Shorewall implementation.
Current implementation is not optimal but we can merge the pull request and add a note to the manual:
If Shorewall (nethserver-firewall-base package) is installed, access the FTP server using active mode if configured port is not the default one (21).
#22 Updated by Filippo Carletti about 6 years ago
Since we're going to remove lokkit, I'd prefer to defer implementation: we will produce better and simpler code. Also, we're going to merge code we're going to remove soon.
What do you think? Active mode works on every port.
#23 Updated by stephane de Labrusse about 6 years ago
Filippo Carletti wrote:
Since we're going to remove lokkit, I'd prefer to defer implementation: we will produce better and simpler code. Also, we're going to merge code we're going to remove soon.
What do you think? Active mode works on every port.
Like giacomo noticed it, the module nf_conntrack_ftp is updated at each reboot, but I failed to update it on demand....I don't know if you can bring some guidances. As an evidence my code can not be added if it is not fully workable but that let's something broken under the hood because you can't change the default port, even by the command line. That's a bug.
???
#24 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from TRIAGED to NEW
- Assignee deleted (
stephane de Labrusse) - Target version deleted (
v6.6) - % Done changed from 20 to 0
Since the implementation is not complete due to nf_conntrack_ftp configuration, the commit has been reverted.
There is no developer for this enhancement: the issue has been moved to NEW status and postponed.
#25 Updated by Giacomo Sanchietti about 5 years ago
- Status changed from NEW to CLOSED
- % Done changed from 0 to 100
- Resolution set to WONTFIX
Leaving behind on NS 6.
Let's see for NS 7.
If needed open a bug on https://github.com/NethServer/dev/issues
#26 Updated by Giacomo Sanchietti about 5 years ago
- Target version set to v6.7