PASV port theft errors in FTP
Posted 07 March 2003 - 09:45 PM
Much of OS X is based on FreeBSD and OS X Server uses a variant of lukemftpd for it's FTP services, albeit with a purty GUI. Not yet being a CLI Jedi, I'm not sure what files might need to be modified to get things to work. I've looked 'round the Web for some help, but all the stuff I've found refers to .config files that do not exist in Apple's bastardized version (thanks, iSteve).
Here's da problem: The server is behind a Belkin NAT router hooked to a cable modem. A DNS alias from No-IP.com is used to direct FTP traffic to the server. The router has ports 20-21 mapped to send FTP requests to the server which has a static IP address assigned. The DNS alias works like a charm. I have the user accounts set up, the share points mapped out...all that is fine. Users (OK, just myself) can access their accounts via file sharing (AFS, NFS, SMB) with no problems.
FTP is an entirely different matter. When you attempt to access the server, it connects, checks the login info, and accepts it, but then you get an error saying: "PASV error. Possible port theft. Unable to make connection." Turning off passive mode yields a "Illegal PORT command" error. This happens even if I try to access via CLI or a GUI program. I also tried from Windows 98 using FileZilla and got the same results. I've added lines to the OS X Server Firewall list (in the GUI) accepting requests for ports 20-21. Still no joy. Turned off the OS X Firewall and gave Brickhouse (a cool shareware firewall app) a try, since it allows more modification of the ipfw files (which I think is where the problem might be). Set up the firewall rules in Brickhouse and got the same results. Now, accessing the FTP server locally from within the network works fine. No errors whatsoever. So, there must be something about the router setup that OS X Server doesn't like, but I'm clueless as to what it is. I looked through the man pages for ipfw and ftpd, but not knowing what to look for, I didn't find anything that might help. There is an ftpaccess.config file that I added a
rule to, but it didn't help. I doubt the syntax is right, but it was something I found on a site while looking for answers.
After not being able to resolve this same problem a few months ago, I switched to CrushFTP and had it up, running and accessible in literally 5 minutes. No PASV errors, nothing....it just worked. It's a little frustrating that a $25 shareware app is easier to set up, configure and get working than X Server's FTP. The CrushFTP docs suggested that if you're behind a NAT router to assign the PASV ports to 2000-2010. Which I did: Crush FTP has a box in the interface to assign these ports. I also mapped those ports in the router configuration. It seems that this addresses the same problem that's occurring in X Server's FTP, but I don't know where to go to fix it, or what needs to be done (CLI or otherwise). Maybe there needs to be some rule added to a config file somewhere to allow all passive connections? Again, not being too familiar with BSD or things like the ipfw, or the like, I'm not even sure what I should be looking for. I guess I just need a push in the right direction.
Help me, Obi-Wan Kenobi...you're my only hope. If anyone in the universe can help, they will be found here.
Thanks in advance.
Posted 14 March 2003 - 02:30 PM
Posted 14 March 2003 - 05:05 PM
Sounds like the reason you are having trouble serving FTP with MacOSX Server vs. the CrushFTP software is because MacOSX Server must have some security features built in (whereas a little shareware app probably wouldn't). I was googling and found an article on the subject of FTP vulnerabilities that mention these types of attacks here.
FWIW I use freebsd and ipfw gets its ruleset from /etc/rc.firewall. Hope that helped a little
BinRev is hosted by the great people at Lunarpages!