Re: [twsocket] PASV fallback to public IP
Date: Wed, 8 Sep 2010 12:03:34 +0200 From: Kristof Gajsek Subject: Re: [twsocket] PASV fallback to public IP To: twsocket@elists.org >>I have a nagging feeling that NAT address manipulation may only happen >>with FTP clients, if it fails then people use passive mode. >This issue happens in passive mode. When FTP client sends PASV command it >gets a response which contains private IP address... >>Adding the same feature as FileZilla FTP client is not hard, since the >>server public IP address is available from the socket. Doing the same on >>an FTP server is much harder, and really needs a public STUN server (as >>used for SIP for the same reason). >... so I guess only replacing IP address given by server in response to PASV >with the public one (the one used to connect to the FTP server) should do >the trick (at least in this case). This does not need to be automatic or >fancy, I guess something like a property OverridePASVIP would be OK - it >would force ICS to use server IP plus port given in PASV response. I've resolved this issue by adding an OverridePASVIP property, and it appears to work with the client who reported it. I'm attaching the patch. Best regards Kristof -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
Angus Robertson - Magenta Systems Ltd wrote: >>> Or simply: >>> >> echo $_SERVER[REMOTE_ADDR]; > > This still needs be running on a public server somewhere! > I don't have PHP on mine. > >> BTW: The NAT trouble will stop with IPv6. > > And introduce lots of new problems instead. My new Sonicwall pass > IPv6, but not process it. No problem with FritzBox, it blocks IPv6 unless I explicitly unblock certain IPs. I currently use a free SixXS tunnel with Heartbeat support (http://www.sixXS.net) and got my own subnet, FritzBox handles this fine as well, no additional software required. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
>> I have a nagging feeling that NAT address manipulation may only >> happenwith FTP clients, if it fails then people use passive mode. > > This issue happens in passive mode. When FTP client sends PASV > command it gets a response which contains private IP address... Irrelevant, we are talking about two NAT routers here, the client is almost certainly behind a NAT router using a private IP, and the server is behind a second NAT router. In an ideal world, both routers would be changing the private IP to public IPs, and FTP would just work. Using passive mode gets around the client NAT router, but not the server NAT router. My first example is the ICS FTP client behind a NAT router, accessing an ICS FTP server a public IP. The client sends a port command with a private IP: 00:08:07 Downloading File: /info-2010-09-07.txt 00:08:07 > PORT 192,168,1,119,236,41 00:08:07 < 200 Port command successful. but the server receives the command with the public IP and the same port, because it's been translated by the client NAT router. 00:08:06 angussha1 [217.146.115.81] [288] < PORT 217,146,115,81,236,41 00:08:06 angussha1 [217.146.115.81] [288] > 200 Port command successful. I'm not using passive mode, because the NAT router is working properly and manipulating the control channel. Note it can not do this with SSL due to encryption which is why passive mode is needed. My second example is accessing the ICS FTP server behind a NAT router, from an ICS FTP client on the public server. Non passive mode works immediately, because there is no NAT. With the client in passive mode , it gets this response from the FTP server behind NAT with the public IP: > PASV < 227 Entering Passive Mode (217,146,115,84,82,9). but the server actually sent a private IP, which has been modified by the NAT router: 12:46:30 angusadmin [217.146.102.131] [11] < PASV 12:46:30 angusadmin [217.146.102.131] [11] > 227 Entering Passive Mode (192,168,1,63,82,9). So my original hypothesis that an FTP server behind a proper NAT router will work without needing any special commands or manipulation in the client or server is correct. I'm using a Sonicwall TZ200 router and firewall. However I've not yet tested FTP behind two NAT routers. If anyone wants to test against the latest ICS FTP server either on the public or NAT address, please email and I'll give you logins. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
If it is all the NAT to blame, how could NAT devices translate the FTPS PASV responses? SZ On Wed, Sep 8, 2010 at 1:03 PM, Kristof Gajsek wrote: > >I have a nagging feeling that NAT address manipulation may only happen > >with FTP clients, if it fails then people use passive mode. > > This issue happens in passive mode. When FTP client sends PASV command it > gets a response which contains private IP address... > > >Adding the same feature as FileZilla FTP client is not hard, since the > >server public IP address is available from the socket. Doing the same on > >an FTP server is much harder, and really needs a public STUN server (as > >used for SIP for the same reason). > > ... so I guess only replacing IP address given by server in response to > PASV > with the public one (the one used to connect to the FTP server) should do > the trick (at least in this case). This does not need to be automatic or > fancy, I guess something like a property OverridePASVIP would be OK - it > would force ICS to use server IP plus port given in PASV response. > > Best regards > Kristof > -- > To unsubscribe or change your settings for TWSocket mailing list > please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket > Visit our website at http://www.overbyte.be > -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
>I have a nagging feeling that NAT address manipulation may only happen >with FTP clients, if it fails then people use passive mode. This issue happens in passive mode. When FTP client sends PASV command it gets a response which contains private IP address... >Adding the same feature as FileZilla FTP client is not hard, since the >server public IP address is available from the socket. Doing the same on >an FTP server is much harder, and really needs a public STUN server (as >used for SIP for the same reason). ... so I guess only replacing IP address given by server in response to PASV with the public one (the one used to connect to the FTP server) should do the trick (at least in this case). This does not need to be automatic or fancy, I guess something like a property OverridePASVIP would be OK - it would force ICS to use server IP plus port given in PASV response. Best regards Kristof -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
> > Or simply: > > > echo $_SERVER[REMOTE_ADDR]; This still needs be running on a public server somewhere! I don't have PHP on mine. > BTW: The NAT trouble will stop with IPv6. And introduce lots of new problems instead. My new Sonicwall pass IPv6, but not process it. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
Arno Garrels wrote: > Angus Robertson - Magenta Systems Ltd wrote: > >> Doing the >> same on an FTP server is much harder, and really needs a public STUN >> server (as used for SIP for the same reason). > > Or simply: > > echo $_SERVER[REMOTE_ADDR]; BTW: The NAT trouble will stop with IPv6. -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
Angus Robertson - Magenta Systems Ltd wrote: > Doing the > same on an FTP server is much harder, and really needs a public STUN > server (as used for SIP for the same reason). Or simply: -- Arno Garrels -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
> This issue was reported by one of my users, who later determined > the cause > by himself, so I have no such public server available. I will ask > if this is > a public server that can be checked. I guess in his case replacing > private > with public IP may work, since FileZilla works, however I agree > that fixing > NAT router would be a better option. I have a nagging feeling that NAT address manipulation may only happen with FTP clients, if it fails then people use passive mode. I have one ICS FTP server behind a NAT router, another without NAT, so I'll do a test myself later in the week to confirm how much manipulation of the control channel is done by the router, if any. Adding the same feature as FileZilla FTP client is not hard, since the server public IP address is available from the socket. Doing the same on an FTP server is much harder, and really needs a public STUN server (as used for SIP for the same reason). Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
>... >Do you have a specific example of a live public server returning a >private IP that we can test? It will be very difficult to set-up, since >it needs a crappy NAT router. Thanks for the explanation, Angus. This issue was reported by one of my users, who later determined the cause by himself, so I have no such public server available. I will ask if this is a public server that can be checked. I guess in his case replacing private with public IP may work, since FileZilla works, however I agree that fixing NAT router would be a better option. Best regards Kristof -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
> -Original Message- > From: Angus Robertson - Magenta Systems Ltd > [mailto:an...@magsys.co.uk] > Sent: 07 September 2010 09:47 > To: twsocket@elists.org > Subject: Re: [twsocket] PASV fallback to public IP > > > > Some FTP servers return wrong IP for PASV command (private > instead of > > public). In such cases, obviously, FTP component can't > connect to the > > server. > > This is not really an FTP server issue, but a poorly designed > NAT router that has not replaced the private IP address with > a public IP. > > > Filezilla is smart enough to detect this and switch to public IP, > > instead: > > Detecting the wrong address is easy, but whether replacing it > with a public address will do anything useful is more > debatable since the NAT router may not know which private IP > address is the intended destination of the incoming TCP connection. > > NAT routers have to be designed to understand the FTP > protocol, and parse the control channel for private IP > addresses and forward connections appropriately. Normally > this is all hidden and you never know it's happening. > > Do you have a specific example of a live public server > returning a private IP that we can test? It will be very > difficult to set-up, since it needs a crappy NAT router. > > Angus > As a FileZilla client and server user of some years. Servers that return a Private (LAN) IP in a Passsive Mode parameter value, are probably misconfigured by their owners, rather than any deficiancy in the routers used. F'Zilla can only "detect" your WAN IP, if you point it to a suitable external site/service that will report back your WAN IP. Sadly, not all of them do it in a way F'Zilla can reliably handle. You could use a local to you service, that in turn polls your router setup pages to find the WAN IP currently in use, but every router is different. If you have a dynamic WAN IP as most home users do, you can use an external service such as DynDns so you can have a regular "domain name" who's resolved IP follows your actual IP as it changes from time to time (with a short delay...) Then, in F'Zilla (and I guess in any ICS created server) you can find your outside (WAN) IP, by doing a DNS query on yourself (in FZ, you put your domain name in the Passive Mode Settings dialog, "Use the following IP" field) that in turn will return your current WAN IP address, that is then used as part of the client Passive mode setup protocol. Or, you ask your ISP for a fixed IP account. :) The only thing you need to do to any routers in line, is make sure that their port forwarding rules are setup, so that *All* the FTP Data port(s) you use, are passed to the machine on your LAN that is running the server. The client of course, does not need to make any such adjustments, they only ever initiate outgoing connections, so no port forwarding needs to be done. Regards. Dave B. -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
Re: [twsocket] PASV fallback to public IP
> Some FTP servers return wrong IP for PASV command (private instead > of public). In such cases, obviously, FTP component can't connect to > the server. This is not really an FTP server issue, but a poorly designed NAT router that has not replaced the private IP address with a public IP. > Filezilla is smart enough to detect this and switch to public IP, > instead: Detecting the wrong address is easy, but whether replacing it with a public address will do anything useful is more debatable since the NAT router may not know which private IP address is the intended destination of the incoming TCP connection. NAT routers have to be designed to understand the FTP protocol, and parse the control channel for private IP addresses and forward connections appropriately. Normally this is all hidden and you never know it's happening. Do you have a specific example of a live public server returning a private IP that we can test? It will be very difficult to set-up, since it needs a crappy NAT router. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
[twsocket] PASV fallback to public IP
Some FTP servers return wrong IP for PASV command (private instead of public). In such cases, obviously, FTP component can't connect to the server. Filezilla is smart enough to detect this and switch to public IP, instead: ... Command:TYPE I Response: 200 Type set to I. Command:PASV Response: 227 Entering Passive Mode (192,168,*,*,114,78). Status: Server sent passive reply with unroutable address. Using server address instead. Command:LIST Response: 150 File status okay; about to open data connection. ... Is it possible to achieve this with ICS? Best regards Kristof -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
