FTP over Internet problem NSA210

[Mijzelf]

I managed to connect through Internet and transferred a movie with 3.5MB/s which means its using my internal IP for data. Somehow it sees that its a device connected to my router.

Not really. You are accessing the FTP server via your public IP address. But this router supports 'nat loopback', which means it just 'injects' the data to it's WAN port, where it's handled normally.
The lower speed is because the data passes the router twice (from LAN to WAN, and back), and the router is not the fastest one around. (Well, it does it's job, and it can handle a 20Mbps connection, but it has not enough juice to handle nat loopback on 15MB/sec (=300Mbps))

[nicklarry]

If someone could help me plz.... I've made the above script with vi and my current ip (which is not static, but it won't change as long as I don't restart my connection, which means it'll be the same for months) , I've put it in the correct dir and made it executable ok, named it ftpserver.sh . Port forwarding seems to be working for every other program I've setup so it's unlikely that's the root of the problem. Now, I've seen that I've no /var/zyxel/pure-ftpd.arg file here. The problem right now is that I can still connect to the ftp server locally but it can't be reached from outside at all. So, I assume that the script is not doing anything for me atm for some reason. Any help is appreciated, thx!

[Mijzelf]

I've seen that I've no /var/zyxel/pure-ftpd.arg file here.

In that case this fix cannot work of course. Which firmware are you running? What is the output of

Code: Select all

ps | grep ftp

[nicklarry]

I'm on fw V4.40(AFD.1). I get no output at all from that command, just returns to command prompt - thx for helping me btw

edit: just saw that there's 4.40(afd.2) available, is it important that I upgrade to it?

[Mijzelf]

I'm on fw V4.40(AFD.1). I get no output at all from that command, just returns to command prompt

In that case I suppose you are running FFP? Try

Code: Select all

ps -A | grep ftp

edit: just saw that there's 4.40(afd.2) available, is it important that I upgrade to it?

Don't think so. There is not much difference between that two. Only some bugfixes and minor updates. But it seems you are running a different FTP server.

[nicklarry]

I issued "ps -A | grep ftp" and returned "16799 ? 00:00:01 pure-ftpd" , yes ffp is running. But I'm just using the built-in ftp server, does ffp change anything silently about ftp?

[Mijzelf]

No, FFP leaves the firmware functions alone.

So your box is running pure-ftpd, which is the one for which that script is intended. Did you create your FFP stick before you updated the firmware to 4.40? In that case you might be running it chrooted, which could mean that /var/zyxel is not the same one which is seen by the firmware.

[nicklarry]

I installed ffp via the built-in package method not by stick (dunno if that's important, I suppose not) and it was after the firmware update, I haven't put another fw since.

[Mijzelf]

(dunno if that's important, I suppose not)

Indeed. AFAICS it not relevant.

But that means your box should just work as the others. What is the contents of your /usr/local/sbin/vsftpd_start_silent.sh?

[nicklarry]

the content is:

#!/bin/sh

# zylogger
# source 17: built-in service
# priority 5: notice
# facility 17: built-in service
#
# Detailed information is in zylog-1.0/zylog.h

# This script may be called from ZySH watchdog and
# may not check if FTPd is already running, so
# FTPd should be killed here.

/bin/killall -9 pure-ftpd

PS=`/bin/ps | /bin/grep pure-ftpd | /bin/grep -v grep`

# test if "$PS" is non-null
while [ -n "$PS" ]
do
sleep 1
PS=`/bin/ps | /bin/grep pure-ftpd | /bin/grep -v grep`
done

EDIT:

restarted the NAS and checked again /var/zyxel/ and pure-ftpd.arg is there (?!?) - here's what it contains:

#!/bin/sh

# zylogger
# source 17: built-in service
# priority 5: notice
# facility 17: built-in service
#
# Detailed information is in zylog-1.0/zylog.h

# This script may be called from ZySH watchdog and
# may not check if FTPd is already running, so
# FTPd should be killed here.

/bin/killall -9 pure-ftpd

PS=`/bin/ps | /bin/grep pure-ftpd | /bin/grep -v grep`

# test if "$PS" is non-null
while [ -n "$PS" ]
do
sleep 1
PS=`/bin/ps | /bin/grep pure-ftpd | /bin/grep -v grep`
done
sh-4.1# ls /var/zyxel/
myzone_rule pure-ftpd.arg vsftpd.conf zysh
sh-4.1# vi /var/zyxel/pure-ftpd.arg
-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~


I tried again to connect , but no luck, local connection works - the same as before really. Any ideas? Again thx

[Mijzelf]

I miss some lines in your vsftpd_start_silent.sh:

Code: Select all

if [ -x /usr/local/sbin/pure-ftpd ] ; then
  /bin/nice -n 20 /usr/local/sbin/pure-ftpd `cat /var/zyxel/pure-ftpd.arg`
fi

This is the actual startline, the rest is the killing of a currently running ftp server. Here the contents of /var/zyxel/pure-ftpd.arg is used as commandline arg for pure-ftpd.

Code: Select all

sh-4.1# vi /var/zyxel/pure-ftpd.arg
 -A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c

You can just use 'cat' or 'less' to list files. vi is a bit overpowered.

Anyway, I don't see a '-P <PUBLICIP>' in this line, so either the script didn't run, or there is a bug in it. Wat happens if your do

Code: Select all

cat /var/zyxel/pure-ftpd.arg
/usr/local/zy-pkgs/etc/init.d/ftpserver.sh
cat /var/zyxel/pure-ftpd.arg

[nicklarry]

"cat /var/zyxel/pure-ftpd.arg" gives:
-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c 5 -C 5 -I 15 -p 9060:9069

"/usr/local/zy-pkgs/etc/init.d/ftpserver.sh" returns nothing - back to prompt and entering "cat /var/zyxel/pure-ftpd.arg" again returns the very same output as before. Here's what "cat /usr/local/zy-pkgs/etc/init.d/ftpserver.sh" returns

#!/bin/sh
#This script disables all LAN FTP connections & enables only Internet ones
#NAS isn't configured to address the public ip but only internal.
#That's why I use this script, so I can access the FTP from everywhere.

# Change in your public IP, or dyndns domain
PUBLICIP=*.*.*.*
Background()
{
sleep 60

# Add public ip to the line
local CURARGS=` cat /var/zyxel/pure-ftpd.arg `
if echo $CURARGS | grep "\"-P $PUBLICIP\""
then
exit 0
fi

echo $CURARGS -P $PUBLICIP >/var/zyxel/pure-ftpd.arg

# restart pure-ftpd
/usr/local/sbin/vsftpd_start_silent.sh
}

Background &

EDIT:

deleted and recreated ftpserver.sh restarted the ftp service, ran ftpservice.sh by hand and after a few seconds the output of "cat /var/zyxel/pure-ftpd.arg" is:
-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c 5 -C 5 -I 15 -p 9060:9069 -P *.*.*.*

tried to connect, but the behaviour is the same - ok for local, no good from internet. Disabling/reenabling the ftp server resets "pure-ftpd.arg" to

-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c 5 -C 5 -I 15

which I think is normal

ls -l ftpserver.sh returns:

-rwxr-xr-x 1 root root 618 Feb 13 16:01 /usr/local/zy-pkgs/etc/init.d/ftpserver.sh

which I think is ok for executable, but it really won't start at startup or for some reason it doesn't modify "pure-ftpd.arg" as it should until I run it by hand.

[Mijzelf]

-A -B -b -D -H -M -l pam -R -U 000:000 -S 9059 -L 200000:5 -8 utf-8 -9 utf-8 -c 5 -C 5 -I 15 -p 9060:9069 -P a.b.c.d

Looks as it should

tried to connect, but the behaviour is the same - ok for local, no good from internet

Do you have a log from that?

Disabling/reenabling the ftp server resets "pure-ftpd.arg"

Yeah. I think I have a fix for that, but let's first find out why the base doesn't work for you.

it really won't start at startup or for some reason it doesn't modify "pure-ftpd.arg"

You can add a line

Code: Select all

echo "$0 runs" >/tmp/ftpfix

to see if it really doesn't run.

BTW, you might want to hide your public IP address in your post.

[nicklarry]

ftp log - trying to connect from outside:

Status: Connecting to *.*.*.*:9059...
Error: Connection timed out
Error: Could not connect to server
Status: Waiting to retry...
Status: Connecting to *.*.*.*:9059...
Error: Connection timed out
Error: Could not connect to server

local ftp is successfully connected, but I can't get the dir listing which didn't happen before all those changes. Here's the log:

Status: Connecting to *.*.*.*:9059...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-You are user number 1 of 5 allowed.
Response: 220-Local time is now 20:35. Server port: 9059.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: USER anonymous
Response: 331 Any password will work
Command: PASS **************
Response: 230 Any password will work
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Extensions supported:
Response: EPRT
Response: IDLE
Response: MDTM
Response: SIZE
Response: REST STREAM
Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response: MLSD
Response: TVFS
Response: ESTP
Response: PASV
Response: EPSV
Response: SPSV
Response: 211 End.
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (*,*,*,*,35,100)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing



Where should I add the ftpfix line? Should I just issue it in the command line? I tried that and just returned to prompt, but I guess I should be adding it somewhere instead?

Thx for pointing out my ip is visible - ouch!

[Mijzelf]

ftp log - trying to connect from outside:

Is that really from the outside? In that case port forwarding has failed. Or are you accessing from inside on your outside ip address? In that case your router doesn't support NAT loopback (or it isn't enabled).

Where should I add the ftpfix line?

Somewhere in your script. For instance below the "Background &" line. It will create a file in /tmp/, so you can check if the script has run on boot.

Thx for pointing out my ip is visible - ouch!

It's still visible.

Edit:

local ftp is successfully connected, but I can't get the dir listing which didn't happen before all those changes.

That's normal it is a side effect of the fix. The opens a port for a data connection, and tells the client to access it on the public IP address. But that address isn't accessible from the inside.

Edit2: Your outside connection works better than your log shows:

Code: Select all

ftp *.*.*.* 9059
Connected to *.*.*.*.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 4 of 5 allowed.
220-Local time is now 20:48. Server port: 9059.
220 You will be disconnected after 15 minutes of inactivity.
500 This security scheme is not implemented
Name (*.*.*.*:user)

: