Koozali.org: home of the SME Server

Additional PassivePorts in /etc/proftpd.conf

Offline Pepino

  • 5
  • +0/-0
Additional PassivePorts in /etc/proftpd.conf
« on: January 23, 2023, 05:04:50 PM »
Hi

I have already set i my Koozali SME Server 10.1:
Code: [Select]
db configuration setprop ftp TCPPorts 44900:44950
Checked here:
Code: [Select]
config show ftp
ftp=service
    LoginAccess=public
    TCPPort=21
    TCPPorts=44900:44950
    TLSEnable=on
    TLSRequired=on
    TLSVerifyClient=off
    access=public
    status=enabled

but
Code: [Select]
signal-event remoteaccess-updateregenerate only firewall config (i check by iptables -nvL)

I had to add manually in /etc/proftpd.conf:
Code: [Select]
PassivePorts 44900 44950and after
Code: [Select]
systemctl restart ftp.serviceit's works, but as we all know it will be overwritten at the next configuration (re)generation.
How to add it permanently and according to the rules?

By the way, it's strange that there is nothing about it in the koozali documentation about that passive connections with tls from the ftp client (which has a private address) to the sme server (which is available on a public address), requires additional ports for the data transfer.
Without them, the client will establish a connection, it will authorized but it will not download or send anything or even display a list of remote files/directories.

I immediately ask how can I add in proftpd.conf
Code: [Select]
AuthPam off?
« Last Edit: January 23, 2023, 05:12:23 PM by Pepino »

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #1 on: January 23, 2023, 08:47:10 PM »
open a bug for each
- missing PassivePorts fragment
- missing PassivePorts documentation and tls explicit/implicit method and active vs passive mode

This is a complexe situation and there is not a one size fit all because it depends on if sme server is server-gateway or not and if directly connected to internet or also behind another level of NAT and it also depends on where the client is. 
The passive/ active mode has always been an issue to handle to have it working depending on the  network architecture, but tls adds the explicit vs implicit method. 



regarding authpam.  I am not sure why you would like to disable this.


Offline Pepino

  • 5
  • +0/-0
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #2 on: January 23, 2023, 11:13:56 PM »
regarding authpam.  I am not sure why you would like to disable th
Because in the /var/log/proftpd/proftpd.log I see all the time:
Code: [Select]
Jan 23 10:35:25 cube proftpd: pam_env(ftp:setcred): Unable to open config file: /etc/security/pam_env.conf: No such file or directoryalthough he exists and has the right permissions:
Code: [Select]
ls -al /etc/security/pam_env.conf
-rw-r--r--. 1 root root 2972 Apr  1  2020 /etc/security/pam_env.conf
Another thing is that all his lines are commented out:
Code: [Select]
grep -v '#' -c /etc/security/pam_env.conf
0

As for PassivePort of course I will open a bug ticket.
I know that there are different scenarios, only the most popular one is that the server has a public ip address. The client may have it, but does not have to.
The exceptions are rather situations when:
a) the server is behind nat - then it will be even worse ;)
b) the server is on the same network as the client eg in a small office (then ssl/tls is less critical).

P.S. explicit/implicit mode - these can be set on the client's side. The current default configuration of the sme server doesn't support unencrypted connections and there is no variable/definition of another listening port anywhere.
« Last Edit: January 23, 2023, 11:38:30 PM by Pepino »

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #3 on: January 24, 2023, 05:13:37 AM »
regarding authpam, this is just log noise and you need this to allow to auth your users. If you search this message on the internet you will see few trial to avoid this message but you will also loose the logout message in log.

Offline Pepino

  • 5
  • +0/-0
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #4 on: January 24, 2023, 08:30:56 AM »
regarding authpam, this is just log noise and you need this to allow to auth your users. If you search this message on the internet you will see few trial to avoid this message but you will also loose the logout message in log.
It's not a noise, it's just a bug for over 10 years (since SME8).
https://bugs.koozali.org/show_bug.cgi?id=7129

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #5 on: January 24, 2023, 12:55:10 PM »
what is the bug preventing you to do?

if nothing is not working as expected, then this is log noise not a bug.

and removing authentication availability to remove the log noise will create a bug. 

Offline Pepino

  • 5
  • +0/-0
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #6 on: February 05, 2024, 04:10:51 PM »
Could you please explain me the content of /etc/e-smith/templates-custom/etc/proftpd.conf/05portPassive?
Code: [Select]
{
my $PassivePorts=$ftp{TcpPorts}||"49200:49999";
$PassivePorts=~ s/:/ /;
$PassivePorts="49200:49999" if (index(',', $PassivePorts) != -1);
$OUT= "PassivePorts             $PassivePorts\n";
}

1) we init a variable PassivePorts with value from config ftp TcpPorts. If value not exist we use a string "49200:49999"
2) it looks like a regular expression that replaces : with space. (sed-like syntax)
3) We redeclare PassivePorts if? ...and I don't understand here.
4) We Send to output line with "PassivePorts[tab][tab]49200 49999 [new line]";

Sorry to write about it here, but I guess it's better than cluttering up  the bug tracker.
« Last Edit: February 05, 2024, 07:22:00 PM by Pepino »

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #7 on: February 05, 2024, 08:13:52 PM »
Quote
1) we init a variable PassivePorts with value from config ftp TcpPorts.

3) We redeclare PassivePorts if? ...and I don't understand here.

For 1, yes that's one way of retrieving db values. Have a good read on the wiki for more info (or PM me for a rocket account and talk to us directly)

2 I think yes.

Not sure about 4 but for 3 perl only needs you to declare once with 'my'.

After that you can modify as required without using 'my'.

JP will fill you in.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #8 on: February 05, 2024, 10:13:48 PM »
made a typo trying to prevent one
here is an alternative.  one could have also inverted lines 2 and 3

Code: [Select]
{
my $PassivePorts=$ftp{TcpPorts}||"49200:49999";
$PassivePorts=~ s/:/ /;
$PassivePorts="49200 49999" if (index(',', $PassivePorts) != -1);
$OUT= "PassivePorts             $PassivePorts\n";
}

1/ declare variable initializing it if empty
2/ replace : by space to make it compatible with the proftpd syntax
3/ if we have a coma in the string then we can not trust the content, and force the default. 


FYI TCPPorts could looks like
345:350,23,67,456:458,8900


Offline Jean-Philippe Pialasse

  • *
  • 2,743
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #9 on: February 05, 2024, 10:18:50 PM »
for reference, the related bug with suggested bug/ workaround

https://bugs.koozali.org/show_bug.cgi?id=12454

Offline Pepino

  • 5
  • +0/-0
Re: Additional PassivePorts in /etc/proftpd.conf
« Reply #10 on: February 06, 2024, 10:03:53 AM »
Thanks for explanation :)
In your last comment (nr 10) on bugtracker you lost ; (semicolon) at the end of the third line.
Without it there will be a syntax error.