|
On Fri, 25 Nov 2005, Joseph Mack NA3T wrote:
> On Fri, 25 Nov 2005, Mark de Vries wrote:
>
> > Problem found...
> >
> > The thing is that ip_vs(_ftp) seems to assume that the
> > ftp-data connection will be initiated from port 20. Seems
> > like a valid assumption...
> >
> > But unfortunately this is not always the case... the
> > vsftpd I was testing with was configured to
> > "connect_from_port_20=NO" by default. Once I swithched to
> > "=YES" active FTP worked fine.
>
> good sleuthing
>
Thanx. Once I ran with debug output it was pretty easy to see what was
going on.
> > So.... Now the question is: is this a vsftpd 'problem'?
> > MUST ftp-data connections originate from port 20? Or
> > should this assumption be relaxed?
> >
> > Aparently the iptables contrack_ftp module does not assume
> > it; Connections from ports other then 20 are considered
> > "RELATED". (I have not checked the src or debugged
> > anything, I just observed that this type of connection is
> > indeed matched by a "RELATED" rule in my own iptables
> > setup.)
>
> the ftp helper was written in the early 2.4 kernel days and
> I doubt if it's had much attention since then. Presumably it
> was the easiest code to get going and since there were no
> problems for 5 years (or however long it's been), everyone
> has forgotten about the data port. Are you up for adding a
> --data-port="some_number" option to the code?
I don't think that would help much. The src port is not always the same.
vsftpd (prolly) just connects without binding to a specific port, just
getting a random one in the ip_local_port_range...
Is there anything against not matching on the src port like the
ip_contrack(_ftp) stuff?
Rgds,
Mark.
|
