[JB72]

OK folks. Let's see if you can help sort out what seems like a simple ftp annoyance I've been having.

I have a Mac (10.2.5) at home that acts as a little server for me, doing afp, http, etc. As this Mac is in the closet, physical access to it is a pain. So I generally access it from my desktop, which is connected via ethernet. My problem is that I can't seem to d/l anything from my server via ftp w/o turning off my client (desktop) firewall, or starting ftp serving on my client, which I don't want to do. I can connect, but not receive anything so it just hangs. I've tried opening up ports 20 and 21 in the client firewall but that doesn't work.

What ports do I have to open on the client to make this work?

FYI both machines have their own static IP - I've tried different ftp clients (at least the GUI ones - and changing the passive ftp settings don't seem to change anything.

Thanks all. I'm sure someone here can point me in the right direction.

[JB72]

No takers huh?

Well it looks like other have been problems also. Seems OS X doesn't handle ftp client or server well.

I'm still holding out hope that I don't have to setup a third party ftp server though.

[Musti]

Hi JB

I've had a hard time trying to fix a chroot problem, and have learnt that Jaguar's ftp daemon is buggy. I have replaced it with another one I've found (I know it was stupid, but did not have time to re-compile it myself from source). It was just to restrict the users to their home directory. It worked.

Here's the link. So Before you try anything else, try backing up your current ftpd and changing the ftpd with this one (or re-compile for yourself) and see if it works. From your static IP comment I presume you're using a router, no? If so, forwarding port 21 on router configuration to the server might help (From your router configuration, go to Port Forwarding...For details, do not hesitate to contact me.)

http://www.chezludo.com/ftpchroot.html

This one is in French, hope it helps too:

http://www.xrings.net/xrings/article.php3?id_article=52

Please get back here when you solve your problem so we'll know you solved it and how.

[Cipher13]

Originally posted by JB72:
No takers huh?

Well it looks like other have been problems also. Seems OS X doesn't handle ftp client or server well.

I'm still holding out hope that I don't have to setup a third party ftp server though.

I've had zero luck with it.

Apples FTPD is shoddy, and their use of ipfw is shoddy too.

Could you just manually add an allow rule to the firewall? Will that help?

Do you get -36 errors?

[JB72]

First of all, a big thanks to Musti and Cipher13 for joining in my unglamorous struggle.

I just got home from visiting the parents for Easter, so I haven't had a chance to attack this problem again as of yet. I recently got the Apache bug so I'm doing a lot of seat-of-the-pants learning with regards to server related stuff. Hopefully I can look into some of these solutions tonight or tomorrow.

've had a hard time trying to fix a chroot problem, and have learnt that Jaguar's ftp daemon is buggy. I have replaced it with another one I've found

It looks like I'm headed in that same direction.

t was just to restrict the users to their home directory. It worked.

That's actually another problem I've been having that I forgot to even mention. Oh man...

This one is in French, hope it helps too

Oh geese I wish! That language never liked me, although God knows I tried to master it.

Please get back here when you solve your problem so we'll know you solved it and how.

Will do. I think that link you gave me is going to do the trick. I'm also considering ProFTPd mentioned at afp548, although I see myself screwing that up.

've had zero luck with it.

Apples FTPD is shoddy, and their use of ipfw is shoddy too.

/agree

I'm really surprised with Darwin and al. Plus it's not like FTP is some new fangled protocol.

Could you just manually add an allow rule to the firewall? Will that help?

That's an option too. Although I tried via the prefs > firewall to add 20-21 and it didn't seem to work. I suppose this looks more like a CLI solution huh?

Do you get -36 errors?

Basically I can log in. I get the whole logged in message stuff fine. But it just hangs when I try to get a list of files. Weird.

Thanks again. If I can't solve this problem the proper way, I just might to go graphical. That I can understand...

[Cipher13]

I tried ProFTPD, and had no luck with it either. FTP and I just don't go together, it would seem.

Well, it seems like you're logging in fine, which means communication over port 21 is fine; it's the data port that seems not to be doing anything.

It just seems that the OSX firewall is blocking the data port, but not the connect port. Bloody stupid.

Try booting with the firewall ON, and leave it on, then enter this into the terminal:

ipfw add 65432 pass log tcp from any 1024-65535 to any 49152-65535

ipfw add 65433 pass log tcp from any to any 21 in recv ${oif} setup keep-state

See if that helps... it should allow passive and active ftp connections. Been a long time since I needed to do that, mind you, they could be wrong. If they don't help:

sudo ipfw zero 65433
sudo ipfw zero 65432

I hate ftp.

[besson3c]

why not use sftp?

[Cipher13]

Originally posted by besson3c:
why not use sftp?

Yeah, not a bad idea...

FTP sucks, and it's also completely insecure (one reason I don't use it). SFTP fixes that, at least...

[besson3c]

For me, I love my SSH access... if you are like me then typing the extra letter ("s") is going to equate to far less hassle than dealing with FTP.

What I don't understand is that everybody was so adament and rah rah about not using telnet because text is sent in the clear. This is the same with ftp... why does ftp still exist? Telnet is pretty scarce nowadays....

[Cipher13]

Originally posted by besson3c:
For me, I love my SSH access... if you are like me then typing the extra letter ("s") is going to equate to far less hassle than dealing with FTP.

What I don't understand is that everybody was so adament and rah rah about not using telnet because text is sent in the clear. This is the same with ftp... why does ftp still exist? Telnet is pretty scarce nowadays....

Agreed, completely... I use ssh and scp... does everything I want it to.

For a situation where some may use ftp to serve files to others, I just use http. So much easier/more secure. As for recieving files, well, I use KDX, but that might not be an option, I guess.

[JB72]

So far I've only got a chance to play with this:

http://www.chezludo.com/ftpchroot.html

The good news is that it was easy to install. The bad news is that it didn't help my ipfw client problem. And my users can still roam around freely outside their user dirs. I ahven't been able to test to see if it cured the permission problem with uploaded user files.

The battle continues...

[Cipher13]

Originally posted by JB72:
So far I've only got a chance to play with this:



The good news is that it was easy to install. The bad news is that it didn't help my ipfw client problem. And my users can still roam around freely outside their user dirs. I ahven't been able to test to see if it cured the permission problem with uploaded user files.

The battle continues...

Did you enter those ipfw rules?

[JB72]

ipfw add 65432 pass log tcp from any 1024-65535 to any 49152-65535

ipfw add 65433 pass log tcp from any to any 21 in recv ${oif} setup keep-state

The second command, it didn't like variable "oif." The first one did the trick though. However, my sys pref > firewall doesn't like me anymore. ANd what kind of security risk does that ipfw open up?

[Cipher13]

Originally posted by JB72:
The second command, it didn't like variable "oif." The first one did the trick though. However, my sys pref > firewall doesn't like me anymore. ANd what kind of security risk does that ipfw open up?

Didn't like it? Well, as long as it liked the other one, sweet.

Well, it opens up a shitload of ports. As long as there are no services running on them, though, that doesn't matter. Not many services run from 49152 to 65535 anyway. It's also all logged.

I wouldn't be so concerned about that as I would about the security of the ftpd itself... (I'd never run it, personally)

[JB72]

Originally posted by besson3c:
why not use sftp?

Yeh I'm not going to do FTP now. How do I get sftp server going?

[edit] OK I realize now that enabling ssh on OS X.2 also enables the sftp client. Sweetness.

Now what do I have to configure to keep non-admin clients confined to their home directories?

[JB72]

Originally posted by JB72:
Now what do I have to configure to keep non-admin clients confined to their home directories?

Anyone? ... Anyone? ...

Is there a config file for sftp?

[besson3c]

sftp is a component of SSH. Whatever you can see/access over an SSH login, you should be able to also see/access over an SFTP login.

Non-admin users won't be able to do anything outside of their home directory. They may be able to get a directory listing, but that's about it. They certainly wouldn't be able to access your home directory. If you are concerned about them going through your Applications directory and copying stuff, you could set the permissions to deny read access to this group.

I'm a bit confused as to exactly what you are trying to do....

[DeathMan]

All this time I've been using SFTP, because I knew it didn't send my password in cleartext, but I never knew it was using SSH to do it. Sweetness. I just thought the OS X FTPD was advanced, but it turns out that it suX0rz!!1

[JB72]

Originally posted by besson3c:
sftp is a component of SSH. Whatever you can see/access over an SSH login, you should be able to also see/access over an SFTP login.

Non-admin users won't be able to do anything outside of their home directory. They may be able to get a directory listing, but that's about it. They certainly wouldn't be able to access your home directory. If you are concerned about them going through your Applications directory and copying stuff, you could set the permissions to deny read access to this group.

I'm a bit confused as to exactly what you are trying to do....

I need guests to be able to u/l to the machine, mostly into their sites directories.

I realize that, assuming my permissions aren't wacky, they have read only access to the rest of the drive, but that's not good enough for me. I'd rather have everything outside their home dirs inaccessible. Surely their has to be a way to do this though ssh/sftp config.

[besson3c]

Well, they *need* read access to some directories outside of their home. For instance, the sftp binaries, and probably stuff in /System.

You could start changing the permissions of things but you'd be asking for trouble.

It sounds like the best way to do what you are describing is not to setup FTP/sFTP access at all, but provide them with WebDAV mount points ala iDisk. This way, there would be no physical access to anything outside of the mount point.

[JB72]

Originally posted by besson3c:
Well, they *need* read access to some directories outside of their home. For instance, the sftp binaries, and probably stuff in /System.

I suppose that's true. However, isn't that the way a multi-user system works? Aren't there cases of being restricted to certain areas, directories, while still gaining the function of a lower directory system?

You could start changing the permissions of things but you'd be asking for trouble.

I agree. I'm not going to go that far.

It sounds like the best way to do what you are describing is not to setup FTP/sFTP access at all, but provide them with WebDAV mount points ala iDisk.

WebDAV would be cool. I'm looking into how hard it would be to setup with proper SSL. This jedit plugin seems particularly useful.

FTP is off. I'll keep ssh/sftp, as it seems to work pretty well for my own admin duties. It would be nice to replace user sftp with DAV though.

[besson3c]

I've done the whole WebDAV thing, it works pretty well (although it has its quirks).

You can secure WebDAV via mod_auth_digest authentication in Apache. You can download this Apache module precompiled for OS X somewhere (can't remember this URL).

Setting up WebDAV is very easy with Mac OS X Server, but it can also be done without and on other unix distributions.

[JB72]

Originally posted by besson3c:
I've done the whole WebDAV thing, it works pretty well (although it has its quirks).

You can secure WebDAV via mod_auth_digest authentication in Apache. You can download this Apache module precompiled for OS X somewhere (can't remember this URL).

Oh yeh. I remeber reading that ssl isn't the prefered security for dav.

Well I think WebDAV is my next project. As soon as I can get sendmail working better.

[normyzo]

Guys,

The reason that FTP won't work through your firewall is simple. Its FTP. FTP never works very well through a firewall.

A little protocol background is necessary. First, FTP always has 2 connections going. The first is the control connection, that's what it uses to pass back your "user" and "pass" and "ls" and "cd" commands to the FTP server with. The second connection is the data connection, which is where you run into problems.

I quote from ISS:

"Normal FTP uses a "command" connection for sending commands from client to server. When a client downloads a file, the server opens a TCP connection back to the client in order to transfer the data.

In a normal firewall environment, the firewall allows all outgoing TCP connections from clients to servers, and blocks all incoming connections (that might be hackers trying to break into machines). This FTP mode of creating an inbound connection causes problems. One solution is to use smarter firewalls. Another solution has been to use an alternate mode in FTP called "PASV", where the client initiates the data connection. "

So, your answer is passive mode. With passive mode, its the _client_ that contacts the server for the data connection, not the server coming back to contact the client. When initiating a data connection in NON-passive mode, the client opens a new port on the local side at a random address < 65535, and the _server_ connects back in to the client. Now any intelligent firewall will block this, and indeed OS X's built in firewall is configured to block all incoming connections except those you explicitly tell it not to. But it allows all outgoing connections by default.

So, when you use passive mode, the _server_ opens the data socket and the client then connects to the server, which should be allowed by OS X's built-in firewall. So the solution is to use passive mode. Its a command in the ftp client.

Dan

[JB72]

Originally posted by normyzo:
So, your answer is passive mode.

That doesn't make any difference either. From the original post:

and changing the passive ftp settings don't seem to change anything.

Thanks for the info though.