Difference between revisions of "Ftp"

From SME Server
Jump to navigationJump to search
 
(3 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{WIP box|}}
+
In short SME uses port 21 for FTP. Default mode used is passive. To use it you will need a custom template and enabling ports (PassivePort  https://bugs.koozali.org/show_bug.cgi?id=12454). Starting SME10, ftp default  is to use explicit TLS over ftp (FTPs explicite) Easy filezilla connexion to SME would use url with FTPES://.{{WIP box|}}
  
SME Server offers a ftp server, which is Proftpd. If enabled it  allows you to access to the Pirmary ibay files folder with anonymous access, and to any content your user is allowed to, if authenticated, inside /home/e-smith/files.
+
SME Server offers a ftp server, which is Proftpd. If enabled it  allows you to access to the Primary ibay files folder with anonymous access, and to any content your user is allowed, if authenticated, inside /home/e-smith/files.
  
Prior to SME 10 ftp was using cleat text communication ('''FTP'''), allowing one to listen to your password and files exchanged on the network. Now TLS is enforced by default ('''FTPs'''), and it is suggested to keep it enabled.
+
Prior to SME 10 ftp was using cleat text communication ('''FTP'''), allowing one to listen to your password and files exchanged on the network. Now TLS is enforced by default ('''FTPs'''), and it is suggested that you keep it enabled.
  
While you might be used to the traditional port 21 for file transfer protocol ('''FTP'''), this page is here to help you having a steady access to your ftp server, by understanding it, and enabling the extra needed ports.
+
While you may be used to the traditional port 21 for file transfer protocol ('''FTP'''), this page is here to help you have steady access to your ftp server, by understanding it, and enabling the extra needed ports.
  
 
Your server is using  
 
Your server is using  
Line 12: Line 12:
  
 
== FTP connection modes : active versus passive ==
 
== FTP connection modes : active versus passive ==
SME by default offers both active and passive mode when you are on LAN. However, as soon as you try to access from a  remote location you will hist some difficulties depending on the situation.
+
SME by default offers both active and passive mode when you are on LAN. However, as soon as you try to access from a  remote location you will have some difficulties depending on the situation.
  
By default for passive connection Proftpd will use ports from 1024 and up, which means that you must forward ''all'' ports 1024-65535 from the NAT to the FTP server!  And you have to allow many (possibly) dangerous ports in your fire-walling rules!  Not a good situation.
+
By default, for passive connectionProftpd will use ports from 1024 and up, which means that you must forward ''all'' ports 1024-65535 from the NAT to the FTP server!  And you have to allow many (possibly) dangerous ports in your fire-walling rules!  Not a good situation.
  
==== the modes ====
+
==== The Modes ====
  
 
===== active =====
 
===== active =====
Line 34: Line 34:
 
* FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
 
* FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
  
==== examples ====
+
 
 +
note port 20 does not need to be open inward on SME, as it is only used to send from SME, however if you have a restrictive firewall between Internet and SME limiting outgoing connection you need to open port 20 to be able to do active ftp. http://www.proftpd.org/docs/howto/AWS.html
 +
 
 +
==== Examples ====
  
 
===== SME is server-gateway connected to Internet - Client is remote behind a NAT =====
 
===== SME is server-gateway connected to Internet - Client is remote behind a NAT =====
Line 44: Line 47:
 
Active mode will not work because the NAT will mostly hide the client port.
 
Active mode will not work because the NAT will mostly hide the client port.
  
Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall and in your firewall between you SME and Internet. You will also need a template custom to add MasqueradeAddress (http://www.proftpd.org/docs/modules/mod_core.html#MasqueradeAddress).
+
Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall and in your firewall between you SME and Internet. You might also need a template custom to add MasqueradeAddress (http://www.proftpd.org/docs/modules/mod_core.html#MasqueradeAddress).
  
 
===== SME is server-gateway connected to Internet - Client is remote directly connected to the Internet =====
 
===== SME is server-gateway connected to Internet - Client is remote directly connected to the Internet =====
Active mode will not work because the NAT will mostly hide the client port.
+
Active mode will work.
  
 
Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall.
 
Passive mode will need to use the <code>PassivePorts</code> directive in your <code>proftpd.conf</code> to control what ports <code>proftpd</code> will use for its passive data transfers, and you will need to open those port in your SME firewall.
Line 54: Line 57:
 
'''SME 10 and above uses explicit SSL mode for FTPs''' over port 21 only and does not need port 990. <u>The client must explicitly request for SSL/TLS to be able to go on</u>.
 
'''SME 10 and above uses explicit SSL mode for FTPs''' over port 21 only and does not need port 990. <u>The client must explicitly request for SSL/TLS to be able to go on</u>.
  
FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21). In a FileZilla client this means prefixing the host with "FTPES://" to connect an  "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).
+
FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21).  
 +
 
 +
In a FileZilla client this means prefixing the host with "FTPES://" to connect an  "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).
  
 
== FTP configuration options in SME ==
 
== FTP configuration options in SME ==
Line 105: Line 110:
 
== TODO ==
 
== TODO ==
  
* template to use PassivePort 44900:44950
+
[https://bugs.koozali.org/show_bug.cgi?id=12454 PassivePorts support bug]
 +
 
 +
* template to use PassivePort 49200:49999 https://bugs.koozali.org/show_bug.cgi?id=12454
 
* template to add those ports in the the SME Firewall
 
* template to add those ports in the the SME Firewall
* template to add port 20
 
 
* http://www.proftpd.org/docs/modules/mod_core.html#MasqueradeAddress Virtualhost vs Class see http://www.proftpd.org/docs/howto/NAT.html
 
* http://www.proftpd.org/docs/modules/mod_core.html#MasqueradeAddress Virtualhost vs Class see http://www.proftpd.org/docs/howto/NAT.html
 
* http://www.proftpd.org/docs/howto/FXP.html
 
* http://www.proftpd.org/docs/howto/FXP.html
 +
 +
===Bug report===
 +
Proftpd is listed in the [https://bugs.koozali.org/enter_bug.cgi?product=SME%20Server%2010.X bugtracker server] section.
 +
 +
Please report all bugs, new feature requests and documentation issues there.
 +
 +
Current bugs:
 +
 +
https://bugs.koozali.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&f1=cf_package&list_id=102854&o1=equals&query_format=advanced&resolution=---&v1=e-smith-proftpd
 +
  
 
== Sources ==
 
== Sources ==

Latest revision as of 20:26, 2 February 2024

In short SME uses port 21 for FTP. Default mode used is passive. To use it you will need a custom template and enabling ports (PassivePort https://bugs.koozali.org/show_bug.cgi?id=12454). Starting SME10, ftp default is to use explicit TLS over ftp (FTPs explicite) Easy filezilla connexion to SME would use url with FTPES://.

Warning.png Work in Progress:
This page is a Work in Progress. The contents off this page may be in flux, please have a look at this page history the to see list of changes.


SME Server offers a ftp server, which is Proftpd. If enabled it allows you to access to the Primary ibay files folder with anonymous access, and to any content your user is allowed, if authenticated, inside /home/e-smith/files.

Prior to SME 10 ftp was using cleat text communication (FTP), allowing one to listen to your password and files exchanged on the network. Now TLS is enforced by default (FTPs), and it is suggested that you keep it enabled.

While you may be used to the traditional port 21 for file transfer protocol (FTP), this page is here to help you have steady access to your ftp server, by understanding it, and enabling the extra needed ports.

Your server is using

Do not confuse sFTP, which is part of ssh protocol and uses port 22, with FTPs which is the regular ftp protocol over port 21 using a layer of SSL/TLS encryption.

FTP connection modes : active versus passive

SME by default offers both active and passive mode when you are on LAN. However, as soon as you try to access from a remote location you will have some difficulties depending on the situation.

By default, for passive connection, Proftpd will use ports from 1024 and up, which means that you must forward all ports 1024-65535 from the NAT to the FTP server! And you have to allow many (possibly) dangerous ports in your fire-walling rules! Not a good situation.

The Modes

active

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened (http://slacksite.com/other/ftp.html):

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1024 (Server responds to client's control port)
  • FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
  • FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)
passive

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened (http://slacksite.com/other/ftp.html):

  • FTP server's port 21 from anywhere (Client initiates connection)
  • FTP server's port 21 to ports > 1024 (Server responds to client's control port)
  • FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
  • FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)


note port 20 does not need to be open inward on SME, as it is only used to send from SME, however if you have a restrictive firewall between Internet and SME limiting outgoing connection you need to open port 20 to be able to do active ftp. http://www.proftpd.org/docs/howto/AWS.html

Examples

SME is server-gateway connected to Internet - Client is remote behind a NAT

Active mode will not work because the NAT will mostly hide the client port.

Passive mode will need to use the PassivePorts directive in your proftpd.conf to control what ports proftpd will use for its passive data transfers, and you will need to open those port in your SME firewall.

SME is server-gateway behind a firewall / NAT to Internet - Client is remote behind a NAT

Active mode will not work because the NAT will mostly hide the client port.

Passive mode will need to use the PassivePorts directive in your proftpd.conf to control what ports proftpd will use for its passive data transfers, and you will need to open those port in your SME firewall and in your firewall between you SME and Internet. You might also need a template custom to add MasqueradeAddress (http://www.proftpd.org/docs/modules/mod_core.html#MasqueradeAddress).

SME is server-gateway connected to Internet - Client is remote directly connected to the Internet

Active mode will work.

Passive mode will need to use the PassivePorts directive in your proftpd.conf to control what ports proftpd will use for its passive data transfers, and you will need to open those port in your SME firewall.

SSL mode: Explicit SSL versus Implicit SSL

SME 10 and above uses explicit SSL mode for FTPs over port 21 only and does not need port 990. The client must explicitly request for SSL/TLS to be able to go on.

FTPS (FTP over TLS) is served up in two incompatible modes. If using explicit FTPS, the client connects to the normal FTP port and explicitly switches into secure (TLS) mode with "AUTH TLS", whereas implicit FTPS is an older style service that assumes TLS mode right from the start of the connection (and normally listens on TCP port 990, rather than 21).

In a FileZilla client this means prefixing the host with "FTPES://" to connect an "explicit" FTPS server, or "FTPS://" for the legacy "implicit" server (for which you will likely also need to set the port to 990).

FTP configuration options in SME

configuration db
key Property default
ftp access private
TCPPort 21
ChrootDir
TLSEnable on
TLSRequired on
TLSVerifyClient off
LoginAccess private
DisableAnonymous no
status disabled
account db for ibay type
Property default
PublicAccess none
DisableAnonymous no

TODO

PassivePorts support bug

Bug report

Proftpd is listed in the bugtracker server section.

Please report all bugs, new feature requests and documentation issues there.

Current bugs:

https://bugs.koozali.org/buglist.cgi?bug_status=UNCONFIRMED&bug_status=CONFIRMED&bug_status=NEEDINFO&bug_status=IN_PROGRESS&bug_status=RESOLVED&f1=cf_package&list_id=102854&o1=equals&query_format=advanced&resolution=---&v1=e-smith-proftpd


Sources