1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Passive FTP and firewall (apf)

Discussion in 'Plesk for Linux - 8.x and Older' started by CiViX, Jun 1, 2006.

  1. CiViX

    CiViX Guest

    0
     
    I've been having problems with ftp lately. Most users can use passive ftp fine. But a few users on a few networks (ISPs) have problems with the connection timing out after a while. They can upload a couple of files (each 1-2 MB), but then it suddenly stops.

    As this only affects some users, I first didn't think that the problem was related to our servers. But strangely enough it works fine for all users if I disable the firewall (apf).

    I do not want to allow open high ports, and this shouldn't be necessary either if ip_conntrack_ftp is loaded, as far as I understand.

    For most users ftp works perfectly if I open only port 21/tcp in. I do not need to open 20/21 out. As ftp is strictly a tcp-protocol no special udp-ports have to be opened (although most users seem to open 21/21 also in udp).

    This works for 99% of our customers:
    ********************************************
    IG_TCP_CPORTS="21,22,25,53,80,106,110,113,143,161,162,199,443,465,993,995,8443,3306,5432"
    IG_UDP_CPORTS="53,161,162,993,995"

    EGF="1"
    EG_TCP_CPORTS="22,25,43,53,80,113,443,5224"
    EG_UDP_CPORTS="53,123"
    ********************************************

    For the handful of users that have "timeout"-problems, it works if I either disable output-filtering, or if I open 1024_65535/tcp output. But with ip_conntrack_ftp I didn't think this should be necessary.

    This works for all users:
    *********************************************
    IG_TCP_CPORTS="20,21,22,25,53,80,106,110,113,143,161,162,199,443,465,993,995,8443,3306,5432"
    IG_UDP_CPORTS="53,161,162,993,995"

    EGF="1"
    EG_TCP_CPORTS="22,25,43,53,80,113,443,5224,1024_65535"
    EG_UDP_CPORTS="53,123"
    *********************************************
    ...or simply EGF="0" (although this is not desirable).

    I have also tried this:
    EG_TCP_CPORTS="22,25,43,53,80,113,443,5224,35000_40000"
    while adding
    PassivePorts 35000 40000
    to proftpd.conf, but then it doesn't work. I must open the whole range 1024-65535 for it to work...

    (Yes I restart xinetd/apf after the changes.)

    I understand that apf loads ip_conntrack_ftp automatically, and if I do an lsmod I get this (edited) output:

    Module Size Used by
    iptable_nat 27229 0
    ipv6 240225 38
    ipt_TOS 6337 2
    iptable_mangle 6721 1
    ip_conntrack_ftp 76273 0
    ip_conntrack_irc 75505 0
    ipt_REJECT 10561 3
    ipt_LOG 10049 2
    ipt_limit 6337 7
    iptable_filter 6721 1
    ipt_multiport 5953 4
    ipt_state 5825 16
    ip_conntrack 45573 4 iptable_nat,ip_conntrack_ftp,ip_conntrack_irc,ipt_state
    ip_tables 21441 9 iptable_nat,ipt_TOS,iptable_mangle,ipt_REJECT,ipt_LOG,ipt_limit,iptable_filter,ipt_multiport,ipt_state

    Doesn't this mean that ip_conntrack_ftp is loaded? Why is it not doing it's job?

    Could anyone please help me solve this strange problem?
     
  2. CiViX

    CiViX Guest

    0
     
    Anyone?
     
  3. calderwood

    calderwood Regular Pleskian

    25
     
    Joined:
    May 12, 2006
    Messages:
    103
    Likes Received:
    0
    FTP errors

    I am having similar problems with failed uploads. I have a theory, but it's not tested. Are you using DSL or cable? If DSL is it PPoP?
     
  4. CiViX

    CiViX Guest

    0
     
    Customers reporting the problem are using DSL afaik. Which protocol they're using I'm not sure of...
     
  5. calderwood

    calderwood Regular Pleskian

    25
     
    Joined:
    May 12, 2006
    Messages:
    103
    Likes Received:
    0
    FTP and DSL

    That's interesting, as I had noticed that all of our customers reporting problems are using Verizon DSL (PPoP). I've checked with clients using cable or fiber and they don't have problems. I have a DSL connection and can't upload to my server with Plesk 8.0, but I can upload to another server without Plesk.

    I've contacted Plesk but was told it was the DSL problem, but if I can upload to another server, it's not the DSL. I've been reading through the forums and I'm seeing scattered reports of upload problems, so I think it is something to do with Pleask 8.0 and DSL protocols. I should say, that I've also tried un-installing the firewall, but still get errors.

    Got me.
     
  6. calderwood

    calderwood Regular Pleskian

    25
     
    Joined:
    May 12, 2006
    Messages:
    103
    Likes Received:
    0
  7. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    I cover this particular topic a lot in my book, since there are so many things that can cause it. Rough guess its the MTU on the DSL side. This rule has a remote chance of clearing it up:

    $IPTABLES -A OUTPUT -o $EXTERNAL -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    $IPTABLES= is the path to iptables
    $EXTERNAL= is the external interface on your system

    Normally I only have to do that on a firewall hooked up to a DSL. ECN (Excplict Congestion Notification) would be my next guess, or possibly you've got interface errors on your box. Check ifconfig to see if its reporting anything.
     
  8. lvalics

    lvalics Silver Pleskian Plesk Guru

    36
    43%
    Joined:
    Jun 20, 2003
    Messages:
    963
    Likes Received:
    32
    Location:
    Romania
    And how can be this rule translated into APF ?
     
  9. atomicturtle

    atomicturtle Golden Pleskian

    29
     
    Joined:
    Nov 20, 2002
    Messages:
    2,110
    Likes Received:
    7
    Location:
    Washington, DC
    I dont use apf, so I can't help you there. apf is just a wrapper around netfilter/iptables though, so the rules are exactly the same syntax underneath.
     
  10. pcsousa

    pcsousa New Pleskian

    22
    73%
    Joined:
    May 2, 2006
    Messages:
    14
    Likes Received:
    0
    well, I added 1024_65535 to IG_TCP_CPORTS in order to allow apf and ftp running. Better less than none protection. This behavior is very strange. This was the only solution we found working, beside turning apf off (bad idea).

    We have 5 other servers running apf (2 cPanel+RH and 3 with no control panels and fedora core) and no problems at all.
    This is our 1st Plesk and also first SUSE server.
     
  11. Jllynch

    Jllynch Regular Pleskian

    28
     
    Joined:
    Nov 11, 2003
    Messages:
    242
    Likes Received:
    0
    We had this problem also. An ftp upload of 10mb would fail at random times. If we turned of Egress (outbound) filtering on AFP that fixed it. So we did something like pcsousa and just set a large pile of ports to be open outbound to fix it.



    http://www.netvantage.com.au
     
Loading...