Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PASV not fun :) #5

Closed
kluthen opened this issue Jan 4, 2015 · 17 comments
Closed

PASV not fun :) #5

kluthen opened this issue Jan 4, 2015 · 17 comments

Comments

@kluthen
Copy link
Contributor

kluthen commented Jan 4, 2015

I opened the docker for some friend which in turn had a nice problem ... (whereas I used the ftp with a simple ftp command ... )

Test log
Status: Resolving address of ******
Status: Connecting to ******
Warning: The entered address does not resolve to an IPv6 address.
Status: Connected, waiting for welcome message...
Reply: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Reply: 220-You are user number 2 of 30 allowed.
Reply: 220-Local time is now 20:48. Server port: 21.
Reply: 220-This is a private system - No anonymous login
Reply: 220-IPv6 connections are also welcome on this server.
Reply: 220 You will be disconnected after 15 minutes of inactivity.
Command: CLNT https://ftptest.net on behalf of ******
Reply: 530 You aren't logged in
Command: USER ******
Reply: 331 User ****** OK. Password required
Command: PASS ********************************
Reply: 230 OK. Current directory is /
Command: SYST
Reply: 215 UNIX Type: L8
Command: FEAT
Reply: 211-Extensions supported:
Reply: EPRT
Reply: IDLE
Reply: MDTM
Reply: SIZE
Reply: MFMT
Reply: REST STREAM
Reply: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Reply: MLSD
Reply: AUTH TLS
Reply: PBSZ
Reply: PROT
Reply: UTF8
Reply: TVFS
Reply: ESTA
Reply: PASV
Reply: EPSV
Reply: SPSV
Reply: ESTP
Reply: 211 End.
Command: PWD
Reply: 257 "/" is your current location
Status: Current path is /
Command: TYPE I
Reply: 200 TYPE is now 8-bit binary
Command: PASV
Reply: 227 Entering Passive Mode (172,17,0,124,95,104)
Error: Server returned unroutable private IP address in PASV reply


Results
Error: Server returned unroutable private IP address in PASV reply
Make sure the server is configured to allow passive mode connections.
If the server is behind a NAT router, make sure the server knows its external IP address.
The range of ports used for passive mode must be opened in all involved firewalls.
The range of ports used for passive mode must be forwarded by all involved NAT routers.
Try uninstalling all firewalls and plug your computer directly into your modem, thus bypassing the router.

From what I understand of docker this might become troublesome to resolve won't it ? :p I dont know how to enter in passive mode with ftp command ... when I hit passive, it work nice enough... but i guess it fails back to active if passive doesn't work ... so maybe i simply dont get notified.

Any idea ? Guess i'll simply have to ask my friend to go on active if it's possible

@stilliard
Copy link
Owner

Lol yer, this could be interesting with docker networking, but i can have a play later passing -P when starting pure-ftpd

@stilliard
Copy link
Owner

Hi @kluthen, I've just been testing this and atm i can't seem to reproduce this yet.
Were you using the ftp command in the terminal, or via an ftp client like filezilla?
Either way, could you send either the ftp command that will reproduce this error, or the setup used in the ftp client? Thanks

@kluthen
Copy link
Contributor Author

kluthen commented Jan 8, 2015

My friend used FileZilla. I used some ftp test website to point out the problem. From my server I can only work in active mode. + I ve got some problem because I was mounting volume where the user should do his ftp work. That shouldn't be linked anyway.

I m not able to find the website right now ... I m at work. I'll give it a look asap.

And it s true that I haven't dig too much with -p options for that kind of networking problem ...

Barcaioni Bastien

Le 8 janv. 2015 à 09:30, Andrew Stilliard notifications@github.com a écrit :

I've just been testing this and atm i can't seem to reproduce this yet.
Were you using the ftp command in the terminal, or via an ftp client like filezilla?
Either way, could you send either the ftp command that will reproduce this error, or the setup used in the ftp client? Thanks


Reply to this email directly or view it on GitHub.

@leonletto
Copy link

I had this issue too. Here are the steps I used to fix my install ( your install may be a little different.)

I git pulled the repository to my server.
I edited the Dockerfile to change the last two lines:

BEFORE:
startup
CMD /usr/sbin/pure-ftpd -c 30 -C 1 -l puredb:/etc/pure-ftpd/pureftpd.pdb -x -E -j -R
EXPOSE 21/tcp

AFTER:
EXPOSE 20 21 30000 30001 30002 30003 30004 30005 30006 30007 30008 30009
startup
CMD /usr/sbin/pure-ftpd -P 1.2.3.4 -p 30000:30009 -O CLF:/var/log/pure-ftpd/transfer.log -l puredb:/etc/pure-ftpd/pureftpd.pdb -x -E -j
#(1.2.3.4 is my servers public ip)

This exposes enough ports to enable PASV connections and configures the pure-ftpd process to accept PASV on those ports.

Then I edited the Makefile:

BEFORE:
run:
sudo docker run -i -t -p 21:21 wheezy-pure-ftp-demo

AFTER:
run:
sudo docker run -d --name ftpd_server -i -t -p 20:20 -p 21:21 -p 30000:30000 -p 30001:30001 -p 30002:30002 -p 30003:30003 -p 30004:30004 -p 30005:30005 -p 30006:30006 -p 30007:30007 -p 30008:30008 -p 30009:30009 wheezy-pure-ftp-demo

This added the name and tells docker (manually) to map the ports through with NAT.

So then you run "make build" and then "make run". If build does not run the first time, ctrl-c it and try again (weird but my build went into a loop and just cancelling and restarting made it work).

Next follow the Readme.md after "Operating it" (login and create users) and you should be good to go.

I'm not sure how much of this (if any) Andrew can add to the build but I hope it helps someone.

Sorry about my misguided previous post :p

Leon

@stilliard
Copy link
Owner

Hi @leonletto, thanks for all this, sorry i've been so slow responding, i'll review these changes soon, hopefully we can get all this working in this standard build 👍
In fact, if you'd like to make a pull request with these changes in, i can test and accept it, else later i'll try and make time for testing the above.

@finestructure
Copy link

Just to add my 2 cents - this fixed it for me, too. I added the following to the Dockerfile:

ENV PUBLICHOST ftp.foo.com
EXPOSE 21 30000-30009
CMD /usr/sbin/pure-ftpd -c 50 -C 10 -l puredb:/etc/pure-ftpd/pureftpd.pdb -E -j -R -P $PUBLICHOST -p 30000:30009

And changed the Makefile:

run: kill
    sudo docker run -d --name ftpd_server -p 21:21 -p 30000-30009:30000-30009 wheezy-pure-ftp-demo

@atelles
Copy link

atelles commented Sep 27, 2015

I had the same issue while running this image in a Mac (via Docker Toolbox), which uses a VirtualBox VM to run the docker daemon.

@feinstruktur solution worked perfectly for this scenario.

@lahuman
Copy link

lahuman commented Oct 14, 2015

Thanks a lot!

@stilliard
Copy link
Owner

@feinstruktur Thanks that looks good, sorry my replies have been slow here.
If someone would like to put together a pull request i'd be happy to quickly test and merge it in.
Else i should be able to work on this myself soon.

@stilliard
Copy link
Owner

Hi all,
I believe this is now fixed thanks to @1tush ref the pull request #9
Please let me know if there are any issues with this, thank you.

@schmaluk
Copy link

schmaluk commented Jun 24, 2016

Hello, having a FTP-server in docker container. the data port is exposed to the host. But I cannot access the ftp server with the browser. Should the docker container be able to reach the host for PASV?
If Im running the container in network_mode: "host", everything works fine. Does this work as well with the default bridge mode?

@ViktorBarzin
Copy link

ViktorBarzin commented Jul 25, 2017

2017 UPDATE

As of 26 July 2017, following the build steps works. However you MUST change the PUBLICHOST of the container to the ip address of the host. Leaving it to localhost makes it accessible only from the docker host which is probably not what you want. My docker host is at 192.168.168.102 so my run command looks like
... PUBLICHOST=192.168.168.102 ...

@choma
Copy link

choma commented Feb 3, 2018

@ViktorBarzin for me, it won't work if I set PUBLICHOST=<HOST_IP>, but it will work if I set PUBLICHOST=<CONTAINER_IP>, which I know before it's created, since I'm setting it with ipv4_address. So I have something like:

  ftp:
    build:
      context: ./dockerfiles
      dockerfile: my-dockerfile
    image: my_ftp
    ports:
      - 21
      - 30000-30009
    environment:
      PUBLICHOST: 1.2.3.4
    volumes:
      - ./ftp:/home/ftpusers/
    networks:
      my-net:
        ipv4_address: 1.2.3.4

@ViktorBarzin
Copy link

@choma Yes because you have set the container in its own network with different address.
The issue you have is probably because you point the client to your host ip which in term forwards the traffic to 1.2.3.4 .
This does not work unless you need to point your client directly to 1.2.3.4

If you tell me more about your setup I may be able to help you more :)

@choma
Copy link

choma commented Feb 3, 2018

@ViktorBarzin, thanks for the quick reply. In fact, I'm happy with my current setup, and just commenting in case someone else find it useful.

My use case is this: I'm testing a software that uploads files to a domain that I can't change. So I add that domain to my hosts file and point it to 1.2.3.4, and then set that IP to the pure-ftp container.

Maybe there is a better configuration, but this one just works. :)

@ViktorBarzin
Copy link

@choma Yes in your case setting PUBLICHOST=<CONTAINER_IP> would work. However if you try to use the ftp container from another machine in the hosts network you would have issues.

I had 2 physical hosts - one running the ftp container and the other one running the client and I had to point it to my hosts address.

@luckydonald
Copy link

Shouldn't PUBLICHOST=0.0.0.0 make it accessible on every IP from any network?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants