Koozali.org: home of the SME Server
Obsolete Releases => SME Server 7.x => Topic started by: kny on June 13, 2007, 10:39:58 PM
-
I am pretty new to SME server, so please forgive me if this is absolutely obvious, but I am really stuck on this problem. I do, however, have a number of years experience admin'ing Debian server systems, so I am not a complete linux newbie by any means.
My problem is that I want to move the FTP daemon running on the standard port 21 to another one - for arguments sake, let's say 680. What I have done up until now is - following the HOWTO on changing the SSHD port found here http://wiki.contribs.org/SSH_Port and adapting it to ftp:
config setprop ftp TCPPort 680
config getprop ftp TCPPort - Returns 680
signal-event remoteaccess-update
service ftp restart
The problem is that there is still an FTP server running on port 21, and none on 680. Also using the following
config set ftp service TCPPort 680 access public status enable
doesn't change anything, except that I can see that the firewall rules are adapted to open port 680 after a signal-event remoteaccess-update is executed.
I hope somebody can solve this seemingly simple problem for me, as it really has me ground down.
Doing the very un-SME-like solution of changing /etc/proftpd.conf value of Port to 680 doesn't help either.
Any help or pointers at all would be very appreciated.
-
Any help or pointers at all would be very appreciated.
new feature requests and bug reports should go to the bug tracker.
-
I'm sorry, I didn't realise it was a bug until somebody told me I was doing the right thing. I was just extrapolating from the SSHD Howto, and as such I needed verification of the procedure.
I will make a post in the bugs department.
Could anyone verify this behavior on another system (non-production, of course)?
I am using SME Server 7.1.3 without any modifications - in fact a fresh install.
Thanks
// Kny
-
Is there any update on this one as i cant make my ftp server run
-
Just reporting it as a bug now. I will do some research and probing around tonight, so hopefully I can make a workaround in the mean time.
EDIT: Bug number is 3064 on the Bug tracker
// Kny
-
Do you have a link for the bugtracker ?
-
The link is:
http://bugs.contribs.org/show_bug.cgi?id=3064
It is not a simple problem because of the NAT unfriendly nature of the FTP protocol - ie. you might only be able to set up a PASV mode FTP server. However, if you want to ignore that you can simply modify the template in /etc/e-smith/templates/etc/proftpd.conf/05port and do a
expand-template /etc/proftpd.conf
signal-event remoteaccess-update
Furthermore you need to open up a port in the firewall. I think the command for that is in my original bug description in the top link.
Good luck with it, and please post your findings here or at the bug tracker link.
-
What happens if you just use port forwarding to forward traffic from port A to port 21, and port a-1 to port 20 (for example 2221 -> localhost:21; 2220 -> localhost:2220)?
-
Should work - that is my current non-optimal solution.
From a security point of view it escalates the incoming FTP traffic from an external IP to an internal one. In this way, the FTP server thinks, that the connection is from a user on the internal network.
From a practical point of view, this probably doesn't matter as long as you have a publicly accessible FTP server.
The problem with this setup is that you need to put your SME server into "Server and Gateway" mode which is only possible if you have more than one network interface card in your server. In "Server only" mode, port forwarding is not allowed through the server manager and manual changes to the iptables rules will be overwritten by the e-smith updates...
-
kny
> In "Server only" mode, port forwarding is not allowed through the server manager
This is really a choice of how you set up your network.
Install a second NIC & change your sme server setup to "server & gateway" mode. Your sme then acts as gateway/firewall/DHCP server and your router functions should be disabled and the router configured for bridged mode (assuming it's also a modem), then port forwarding (& opening) can be done directly on sme (to the sme's firewall).
This is likely to be a more secure approach too, as your sme firewall rules & the kernel are kept up to date with new releases/patches whereas your router becomes less secure over time with the original firmware (older kernel version etc).
A re-read of the manual may be useful too.
>...manual changes to the iptables rules will be overwritten by the e-smith updates...
Server only mode does have some basic firewall rules (it didn't in earlier versions). ALL changes including firewall iptables rules tweaking, should be done using custom templates, or where appropriate using db commands when catered for by the existing base code, as these will survive upgrades, reboots & reconfiguration.
Read the developers guide for information & worked examples, although you will need to work out which template fragment to change and what code to use. You can test suitable commands at the command prompt, but they won't survive reboots etc. Then commit that code to a custom template. Look at the masq templates for adjusting the firewall.
http://wiki.contribs.org/SME_Server:Documentation:Developers_Manual
http://mirror.contribs.org/smeserver/contribs//gordonr/devguide/devguide.pdf
-
Thanks a lot for your reply. I have already studied the Dev. guide, but hoped there was a simpler way around it than using templates.
Sorry for my rather harsh reply to your bug comment :oops: , but it cut off at a quite bad place ;-)
I have submitted a feature request on Bugzilla for not removing the firewall management in server-only mode or alternatively not limit server-only mode to multi-NIC servers.
-
From a security point of view it escalates the incoming FTP traffic from an external IP to an internal one.
No it doesn't. Port forwarding doesn't change the source address of inbound connections.
-
If your SME is in server-only mode then you must have a router or firewall between it and the Internet -- just move the port-redirect instructions to that device if it will do port redirection (Most Linksys firmware won't, but the custom code available usually will, for example, allow you to send port 2121 -> SME:21 and port 2120 -> SME:20)?