Passive FTP and firewall (apf)

[CiViX]

I've been having problems with ftp lately. Most users can use passive ftp fine. But a few users on a few networks (ISPs) have problems with the connection timing out after a while. They can upload a couple of files (each 1-2 MB), but then it suddenly stops.

As this only affects some users, I first didn't think that the problem was related to our servers. But strangely enough it works fine for all users if I disable the firewall (apf).

I do not want to allow open high ports, and this shouldn't be necessary either if ip_conntrack_ftp is loaded, as far as I understand.

For most users ftp works perfectly if I open only port 21/tcp in. I do not need to open 20/21 out. As ftp is strictly a tcp-protocol no special udp-ports have to be opened (although most users seem to open 21/21 also in udp).

This works for 99% of our customers:
********************************************
IG_TCP_CPORTS="21,22,25,53,80,106,110,113,143,161,162,199,443,465,993,995,8443,3306,5432"
IG_UDP_CPORTS="53,161,162,993,995"

EGF="1"
EG_TCP_CPORTS="22,25,43,53,80,113,443,5224"
EG_UDP_CPORTS="53,123"
********************************************

For the handful of users that have "timeout"-problems, it works if I either disable output-filtering, or if I open 1024_65535/tcp output. But with ip_conntrack_ftp I didn't think this should be necessary.

This works for all users:
*********************************************
IG_TCP_CPORTS="20,21,22,25,53,80,106,110,113,143,161,162,199,443,465,993,995,8443,3306,5432"
IG_UDP_CPORTS="53,161,162,993,995"

EGF="1"
EG_TCP_CPORTS="22,25,43,53,80,113,443,5224,1024_65535"
EG_UDP_CPORTS="53,123"
*********************************************
...or simply EGF="0" (although this is not desirable).

I have also tried this:
EG_TCP_CPORTS="22,25,43,53,80,113,443,5224,35000_40000"
while adding
PassivePorts 35000 40000
to proftpd.conf, but then it doesn't work. I must open the whole range 1024-65535 for it to work...

(Yes I restart xinetd/apf after the changes.)

I understand that apf loads ip_conntrack_ftp automatically, and if I do an lsmod I get this (edited) output:

Module Size Used by
iptable_nat 27229 0
ipv6 240225 38
ipt_TOS 6337 2
iptable_mangle 6721 1
ip_conntrack_ftp 76273 0
ip_conntrack_irc 75505 0
ipt_REJECT 10561 3
ipt_LOG 10049 2
ipt_limit 6337 7
iptable_filter 6721 1
ipt_multiport 5953 4
ipt_state 5825 16
ip_conntrack 45573 4 iptable_nat,ip_conntrack_ftp,ip_conntrack_irc,ipt_state
ip_tables 21441 9 iptable_nat,ipt_TOS,iptable_mangle,ipt_REJECT,ipt_LOG,ipt_limit,iptable_filter,ipt_multiport,ipt_state

Doesn't this mean that ip_conntrack_ftp is loaded? Why is it not doing it's job?

Could anyone please help me solve this strange problem?

 

[CiViX]

Anyone?

 

[calderwood]

FTP errors

I am having similar problems with failed uploads. I have a theory, but it's not tested. Are you using DSL or cable? If DSL is it PPoP?

 

[CiViX]

Customers reporting the problem are using DSL afaik. Which protocol they're using I'm not sure of...

 

[calderwood]

FTP and DSL

That's interesting, as I had noticed that all of our customers reporting problems are using Verizon DSL (PPoP). I've checked with clients using cable or fiber and they don't have problems. I have a DSL connection and can't upload to my server with Plesk 8.0, but I can upload to another server without Plesk.

I've contacted Plesk but was told it was the DSL problem, but if I can upload to another server, it's not the DSL. I've been reading through the forums and I'm seeing scattered reports of upload problems, so I think it is something to do with Pleask 8.0 and DSL protocols. I should say, that I've also tried un-installing the firewall, but still get errors.

Got me.

 

[calderwood]

Not DSL related

I came to the conclusion that it was not related to DSL. See my other thread:
http://forum.swsoft.com/showthread.php?s=&threadid=34336

 

[atomicturtle]

I cover this particular topic a lot in my book, since there are so many things that can cause it. Rough guess its the MTU on the DSL side. This rule has a remote chance of clearing it up:

$IPTABLES -A OUTPUT -o $EXTERNAL -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

$IPTABLES= is the path to iptables
$EXTERNAL= is the external interface on your system

Normally I only have to do that on a firewall hooked up to a DSL. ECN (Excplict Congestion Notification) would be my next guess, or possibly you've got interface errors on your box. Check ifconfig to see if its reporting anything.

 

[lvalics]

And how can be this rule translated into APF ?

 

[atomicturtle]

I dont use apf, so I can't help you there. apf is just a wrapper around netfilter/iptables though, so the rules are exactly the same syntax underneath.

 

[pcsousa]

well, I added 1024_65535 to IG_TCP_CPORTS in order to allow apf and ftp running. Better less than none protection. This behavior is very strange. This was the only solution we found working, beside turning apf off (bad idea).

We have 5 other servers running apf (2 cPanel+RH and 3 with no control panels and fedora core) and no problems at all.
This is our 1st Plesk and also first SUSE server.

 

[Jllynch]

We had this problem also. An ftp upload of 10mb would fail at random times. If we turned of Egress (outbound) filtering on AFP that fixed it. So we did something like pcsousa and just set a large pile of ports to be open outbound to fix it.



http://www.netvantage.com.au