search

delfer / docker-alpine-ftp-server

Small and flexible docker image with vsftpd server
191 stars 131 forks source link

passive ports in control connection do not match configuration #9

Closed andreworg closed 4 years ago

andreworg commented 4 years ago

I am looking at a quite strange issue.

I am running with the default config (PASV ports 21000-21010). My firewall configuration matches docker and daemon configuration.

Passive mode is not working; connections are timing out. I realized that the passive ports communicated by the control connection do not match the daemon configuration:

227 Entering Passive Mode (<my,public,ip,address>,141,112).
ftp: connect: Connection timed out

n.b. the port is broken up in two 8 bit integers, so the above means port 36208 (141 * 256 + 112 = 36208)

Funny thing is the daemon configuration looks OK; the server actually starts listening to a port in the correct range:

/ # netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
tcp        0      0 172.17.0.2:21006        0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN

This is happening on different clients.

Only thing I can think of is a bug in the software...

/ # vsftpd -v
vsftpd: version 3.0.3
delfer commented 4 years ago

@andreworg it is very strange. I have tested server with different FTP clients, including ftp (GNU inetutils), Filezilla and Browsers (Chrome, Firefox). Lets check again! (I'am on Manjaro Linux)

# docker pull delfer/alpine-ftp-server
Using default tag: latest
latest: Pulling from delfer/alpine-ftp-server
Digest: sha256:8a0b04d6cb092de9878894e860eb6fc95d16cbb75962335bee9cceadb5c39b9e
Status: Image is up to date for delfer/alpine-ftp-server:latest
docker.io/delfer/alpine-ftp-server:latest

# docker inspect delfer/alpine-ftp-server | grep Created                                                                                        
        "Created": "2019-11-04T19:50:07.997860858Z",

# docker run -ti --rm delfer/alpine-ftp-server vsftpd -v
vsftpd: version 3.0.3

# docker run -d \                                                                                                                                  
            -p 21:21 \                                                                                                                                                
            -p 21000-21010:21000-21010 \                                                                                                            
            -e USERS="one|1234" \                                                                                                                          
            -e ADDRESS=192.168.1.2 \                                                                                                              
            delfer/alpine-ftp-server                                                                                                                    
186c7548ee1318eba308e4fddeac0cd12a96b47c2b9ea19f3e006a6d74c1836c

# ftp -V                                                                                                                                           
ftp (GNU inetutils) 1.9.4
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by many authors.

# ftp --debug --trace --verbose --passive 192.168.1.2 21                                                                                      
Connected to 192.168.1.2.
220 Welcome Alpine ftp server https://hub.docker.com/r/delfer/alpine-ftp-server/
Name (192.168.200.6:delfer): one
---> USER one
331 Please specify the password.
Password: 
---> PASS XXXX
230 Login successful.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
---> PASV
227 Entering Passive Mode (192,168,200,6,82,17).
---> LIST
150 Here comes the directory listing.
226 Directory send OK.
ftp>

Everything is fine. 82*256+17=21009 May be use used all available ports? Try to extend port range. Or may be your public IP's port 21 points to another FTP service.

andreworg commented 4 years ago

Docker image matches. You left out the output of vsftpd -v, but obviously this also should match. I'm far from using all ports. Just doing tests by myself. Also, see from my logs how the daemon started listening on port 21006; this was taken right after the server issued 227 Entering Passive Mode (<my,public,ip,address>,141,112).. Absolutely no doubt the public IP points to the right FTP service. Only thing I can think of at the moment is that the server-side firewall is mangling the control connection - even if I cannot see any good reason for this. I will try to enable full session logging on vsftpd to check what's being sent out.

delfer commented 4 years ago

@andreworg can you repeat all my command in your deployment and share the same complex output?

delfer commented 4 years ago

Close in case of inactivity.