FTP over Internet problem NSA210

Oxnas 810 based
Mijzelf
Posts: 6197
Joined: Mon Jun 16, 2008 10:45 am

Re: FTP over Internet problem NSA210

Post by Mijzelf » Sun Dec 30, 2012 8:41 pm

nathanas wrote:I managed to connect through Internet and transferred a movie with 3.5MB/s which means its using my internal IP for data. Somehow it sees that its a device connected to my router.
Not really. You are accessing the FTP server via your public IP address. But this router supports 'nat loopback', which means it just 'injects' the data to it's WAN port, where it's handled normally.
The lower speed is because the data passes the router twice (from LAN to WAN, and back), and the router is not the fastest one around. (Well, it does it's job, and it can handle a 20Mbps connection, but it has not enough juice to handle nat loopback on 15MB/sec (=300Mbps))

nicklarry
Posts: 16
Joined: Mon Feb 11, 2013 6:26 pm

Re: FTP over Internet problem NSA210

Post by nicklarry » Tue Feb 12, 2013 9:51 am

If someone could help me plz.... I've made the above script with vi and my current ip (which is not static, but it won't change as long as I don't restart my connection, which means it'll be the same for months) , I've put it in the correct dir and made it executable ok, named it ftpserver.sh . Port forwarding seems to be working for every other program I've setup so it's unlikely that's the root of the problem. Now, I've seen that I've no /var/zyxel/pure-ftpd.arg file here. The problem right now is that I can still connect to the ftp server locally but it can't be reached from outside at all. So, I assume that the script is not doing anything for me atm for some reason. Any help is appreciated, thx!

Mijzelf
Posts: 6197
Joined: Mon Jun 16, 2008 10:45 am

Re: FTP over Internet problem NSA210

Post by Mijzelf » Tue Feb 12, 2013 10:39 am

I've seen that I've no /var/zyxel/pure-ftpd.arg file here.
In that case this fix cannot work of course. Which firmware are you running? What is the output of

Code: Select all

ps | grep ftp

nicklarry
Posts: 16
Joined: Mon Feb 11, 2013 6:26 pm

Re: FTP over Internet problem NSA210

Post by nicklarry » Tue Feb 12, 2013 3:49 pm

I'm on fw V4.40(AFD.1). I get no output at all from that command, just returns to command prompt - thx for helping me btw :)

edit: just saw that there's 4.40(afd.2) available, is it important that I upgrade to it?
Last edited by nicklarry on Tue Feb 12, 2013 6:52 pm, edited 2 times in total.

Mijzelf
Posts: 6197
Joined: Mon Jun 16, 2008 10:45 am

Re: FTP over Internet problem NSA210

Post by Mijzelf » Tue Feb 12, 2013 5:48 pm

nicklarry wrote:I'm on fw V4.40(AFD.1). I get no output at all from that command, just returns to command prompt
In that case I suppose you are running FFP? Try

Code: Select all

ps -A | grep ftp
edit: just saw that there's 4.40(afd.2) available, is it important that I upgrade to it?
Don't think so. There is not much difference between that two. Only some bugfixes and minor updates. But it seems you are running a different FTP server.

nicklarry
Posts: 16
Joined: Mon Feb 11, 2013 6:26 pm

Re: FTP over Internet problem NSA210

Post by nicklarry » Tue Feb 12, 2013 6:53 pm

I issued "ps -A | grep ftp" and returned "16799 ? 00:00:01 pure-ftpd" , yes ffp is running. But I'm just using the built-in ftp server, does ffp change anything silently about ftp?

Mijzelf
Posts: 6197
Joined: Mon Jun 16, 2008 10:45 am

Re: FTP over Internet problem NSA210

Post by Mijzelf » Tue Feb 12, 2013 8:06 pm

No, FFP leaves the firmware functions alone.

So your box is running pure-ftpd, which is the one for which that script is intended. Did you create your FFP stick before you updated the firmware to 4.40? In that case you might be running it chrooted, which could mean that /var/zyxel is not the same one which is seen by the firmware.

nicklarry
Posts: 16
Joined: Mon Feb 11, 2013 6:26 pm

Re: FTP over Internet problem NSA210

Post by nicklarry » Wed Feb 13, 2013 5:29 am

I installed ffp via the built-in package method not by stick (dunno if that's important, I suppose not) and it was after the firmware update, I haven't put another fw since.

Mijzelf
Posts: 6197
Joined: Mon Jun 16, 2008 10:45 am

Re: FTP over Internet problem NSA210

Post by Mijzelf » Wed Feb 13, 2013 9:02 am

nicklarry wrote:(dunno if that's important, I suppose not)
Indeed. AFAICS it not relevant.

But that means your box should just work as the others. What is the contents of your /usr/local/sbin/vsftpd_start_silent.sh?

nicklarry
Posts: 16
Joined: Mon Feb 11, 2013 6:26 pm

Re: FTP over Internet problem NSA210

Post by nicklarry » Wed Feb 13, 2013 12:23 pm

the content is:

#!/bin/sh

# zylogger
# source 17: built-in service
# priority 5: notice
# facility 17: built-in service
#
# Detailed information is in zylog-1.0/zylog.h

# This script may be called from ZySH watchdog and
# may not check if FTPd is already running, so
# FTPd should be killed here.

/bin/killall -9 pure-ftpd

PS=`/bin/ps | /bin/grep pure-ftpd | /bin/grep -v grep`

# test if "$PS" is non-null
while [ -n "$PS" ]
do
sleep 1
PS=`/bin/ps | /bin/grep pure-ftpd | /bin/grep -v grep`
done

EDIT:

restarted the NAS and checked again /var/zyxel/ and pure-ftpd.arg is there (?!?) - here's what it contains:

#!/bin/sh

# zylogger
# source 17: built-in service
# priority 5: notice
# facility 17: built-in service
#
# Detailed information is in zylog-1.0/zylog.h

# This script may be called from ZySH watchdog and
# may not check if FTPd is already running, so
# FTPd should be killed here.

/bin/killall -9 pure-ftpd

PS=`/bin/ps | /bin/grep pure-ftpd | /bin/grep -v grep`

# test if "$PS" is non-null
while [ -n "$PS" ]
do
sleep 1
PS=`/bin/ps | /bin/grep pure-ftpd | /bin/grep -v grep`
done
sh-4.1# ls /var/zyxel/
myzone_rule pure-ftpd.arg vsftpd.conf zysh
sh-4.1# vi /var/zyxel/pure-ftpd.arg
-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~


I tried again to connect , but no luck, local connection works - the same as before really. Any ideas? Again thx :)

Mijzelf
Posts: 6197
Joined: Mon Jun 16, 2008 10:45 am

Re: FTP over Internet problem NSA210

Post by Mijzelf » Wed Feb 13, 2013 1:30 pm

I miss some lines in your vsftpd_start_silent.sh:

Code: Select all

if [ -x /usr/local/sbin/pure-ftpd ] ; then
  /bin/nice -n 20 /usr/local/sbin/pure-ftpd `cat /var/zyxel/pure-ftpd.arg`
fi
This is the actual startline, the rest is the killing of a currently running ftp server. Here the contents of /var/zyxel/pure-ftpd.arg is used as commandline arg for pure-ftpd.

Code: Select all

sh-4.1# vi /var/zyxel/pure-ftpd.arg
 -A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c
You can just use 'cat' or 'less' to list files. vi is a bit overpowered.

Anyway, I don't see a '-P <PUBLICIP>' in this line, so either the script didn't run, or there is a bug in it. Wat happens if your do

Code: Select all

cat /var/zyxel/pure-ftpd.arg
/usr/local/zy-pkgs/etc/init.d/ftpserver.sh
cat /var/zyxel/pure-ftpd.arg

nicklarry
Posts: 16
Joined: Mon Feb 11, 2013 6:26 pm

Re: FTP over Internet problem NSA210

Post by nicklarry » Wed Feb 13, 2013 4:04 pm

"cat /var/zyxel/pure-ftpd.arg" gives:
-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c 5 -C 5 -I 15 -p 9060:9069

"/usr/local/zy-pkgs/etc/init.d/ftpserver.sh" returns nothing - back to prompt and entering "cat /var/zyxel/pure-ftpd.arg" again returns the very same output as before. Here's what "cat /usr/local/zy-pkgs/etc/init.d/ftpserver.sh" returns

#!/bin/sh
#This script disables all LAN FTP connections & enables only Internet ones
#NAS isn't configured to address the public ip but only internal.
#That's why I use this script, so I can access the FTP from everywhere.

# Change in your public IP, or dyndns domain
PUBLICIP=*.*.*.*
Background()
{
sleep 60

# Add public ip to the line
local CURARGS=` cat /var/zyxel/pure-ftpd.arg `
if echo $CURARGS | grep "\"-P $PUBLICIP\""
then
exit 0
fi

echo $CURARGS -P $PUBLICIP >/var/zyxel/pure-ftpd.arg

# restart pure-ftpd
/usr/local/sbin/vsftpd_start_silent.sh
}

Background &

EDIT:

deleted and recreated ftpserver.sh restarted the ftp service, ran ftpservice.sh by hand and after a few seconds the output of "cat /var/zyxel/pure-ftpd.arg" is:
-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c 5 -C 5 -I 15 -p 9060:9069 -P *.*.*.*

tried to connect, but the behaviour is the same - ok for local, no good from internet. Disabling/reenabling the ftp server resets "pure-ftpd.arg" to

-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c 5 -C 5 -I 15

which I think is normal

ls -l ftpserver.sh returns:

-rwxr-xr-x 1 root root 618 Feb 13 16:01 /usr/local/zy-pkgs/etc/init.d/ftpserver.sh

which I think is ok for executable, but it really won't start at startup or for some reason it doesn't modify "pure-ftpd.arg" as it should until I run it by hand.
Last edited by nicklarry on Wed Feb 13, 2013 6:55 pm, edited 2 times in total.

Mijzelf
Posts: 6197
Joined: Mon Jun 16, 2008 10:45 am

Re: FTP over Internet problem NSA210

Post by Mijzelf » Wed Feb 13, 2013 6:27 pm

-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c 5 -C 5 -I 15 -p 9060:9069 -P a.b.c.d
Looks as it should
tried to connect, but the behaviour is the same - ok for local, no good from internet
Do you have a log from that?
Disabling/reenabling the ftp server resets "pure-ftpd.arg"
Yeah. I think I have a fix for that, but let's first find out why the base doesn't work for you.
it really won't start at startup or for some reason it doesn't modify "pure-ftpd.arg"
You can add a line

Code: Select all

echo "$0 runs" >/tmp/ftpfix
to see if it really doesn't run.

BTW, you might want to hide your public IP address in your post.

nicklarry
Posts: 16
Joined: Mon Feb 11, 2013 6:26 pm

Re: FTP over Internet problem NSA210

Post by nicklarry » Wed Feb 13, 2013 6:32 pm

ftp log - trying to connect from outside:

Status: Connecting to *.*.*.*:9059...
Error: Connection timed out
Error: Could not connect to server
Status: Waiting to retry...
Status: Connecting to *.*.*.*:9059...
Error: Connection timed out
Error: Could not connect to server

local ftp is successfully connected, but I can't get the dir listing which didn't happen before all those changes. Here's the log:

Status: Connecting to *.*.*.*:9059...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 1 of 5 allowed.
Response: 220-Local time is now 20:35. Server port: 9059.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: USER anonymous
Response: 331 Any password will work
Command: PASS **************
Response: 230 Any password will work
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Extensions supported:
Response: EPRT
Response: IDLE
Response: MDTM
Response: SIZE
Response: REST STREAM
Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response: MLSD
Response: TVFS
Response: ESTP
Response: PASV
Response: EPSV
Response: SPSV
Response: 211 End.
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (*,*,*,*,35,100)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing



Where should I add the ftpfix line? Should I just issue it in the command line? I tried that and just returned to prompt, but I guess I should be adding it somewhere instead?

Thx for pointing out my ip is visible - ouch! :)

Mijzelf
Posts: 6197
Joined: Mon Jun 16, 2008 10:45 am

Re: FTP over Internet problem NSA210

Post by Mijzelf » Wed Feb 13, 2013 6:45 pm

ftp log - trying to connect from outside:
Is that really from the outside? In that case port forwarding has failed. Or are you accessing from inside on your outside ip address? In that case your router doesn't support NAT loopback (or it isn't enabled).
Where should I add the ftpfix line?
Somewhere in your script. For instance below the "Background &" line. It will create a file in /tmp/, so you can check if the script has run on boot.
Thx for pointing out my ip is visible - ouch!
It's still visible.

Edit:
local ftp is successfully connected, but I can't get the dir listing which didn't happen before all those changes.
That's normal it is a side effect of the fix. The opens a port for a data connection, and tells the client to access it on the public IP address. But that address isn't accessible from the inside.

Edit2: Your outside connection works better than your log shows:

Code: Select all

ftp *.*.*.* 9059
Connected to *.*.*.*.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 4 of 5 allowed.
220-Local time is now 20:48. Server port: 9059.
220 You will be disconnected after 15 minutes of inactivity.
500 This security scheme is not implemented
Name (*.*.*.*:user)
:

Post Reply