← Back to team overview

openerp-india team mailing list archive

[Bug 627670] Re: FTP passive ports should be a range, not two separate ports

 

** Description changed:

- In the document module, the ftp_server_passive_ports option is defined
- as two numbers separated by a colon. This should be interpreted as a
- range of port numbers, but it is interpreted as two separate numbers.
+ The document_ftp module contains a configuration setting
+ ftp_server_passive_ports that takes two numbers separated by a colon.
+ This should be interpreted as a range of port numbers, but it is
+ interpreted as two separate numbers.
  
- For example: if I specify ftp_server_passive_ports=5000:5003, I expect
- the ports 5000, 5001, 5002, and 5003 to be used. Instead, only 5000 and
- 5003 are used.
+ Background:
+ When you install the document_ftp module, it uses 8022 as the main FTP connection port, and it will choose extra port numbers at random for FTP clients that use passive ports. These random port numbers cause problems with firewall rules, because you don't want to allow connections to all ports through the firewall.
+ Luckily, there is a configuration setting called ftp_server_passive_ports that takes two numbers separated by a colon. This should be interpreted as a range of port numbers for the FTP server to use as passive ports, but it is interpreted as just two port numbers.
+ For example: if I specify ftp_server_passive_ports=5000:5003, I expect the ports 5000, 5001, 5002, and 5003 to be used. Instead, only 5000 and 5003 are used.
  
  This is a problem because all the FTP clients I have tried open a new
  passive port for every request. This means that I can only make two
  requests before I run out of assigned passive ports, and the server
- starts using random ports.
+ starts using random ports that aren't allowed through the firewall.
  
  The fix is really easy, just use the range function to generate a list
  of all the port numbers to use. The only trick is to make sure that you
  include the end port in the range. I'll attach a merge proposal.
  
- I'm using OpenERP 5.0.12 on Ubuntu 10.04.
+ Steps to reproduce:
+ I'm running on Ubuntu 11.10, so the configuration commands may be slightly different on other systems.
+ 1. Install the document_ftp module on the OpenERP server, and add the following settings to the configuration file:
+ ftp_server_host = 0.0.0.0
+ ftp_server_port = 9022
+ ftp_server_passive_ports = 16384:16639
+ 2. Restart the server and log in to a database through your regular client. The FTP server doesn't start up until the first log in request.
+ 3. Make sure the server's firewall is on and has most ports blocked. Allow TCP connections to port 9022 and the range 16384 to 16639. This is the command I used:
+ sudo ufw allow proto tcp from any to any port 9022,16384:16639
+ 4. Check the server's IP address using ifconfig. For this example, we'll use 192.168.1.100.
+ 5. Go to another computer on your network and connect to the FTP service. Make sure your FTP client uses passive connections. This is the command I used:
+ ftp -p 192.168.1.100 9022
+ 6. It should ask for your username and password. If not, you've got other connection problems. Enter your username and password.
+ 7. Enter the ls command three times. 
+ 
+ Expected behaviour: Each ls command should display a list of your
+ databases.
+ 
+ Actual behaviour:
+ ftp> ls
+ 227 Entering passive mode (192,168,1,100,64,0).
+ 125 Data connection already open. Transfer starting.
+ dr-xr-x---   1 root     root            0 Jan 01 00:00 blank60
+ dr-xr-x---   1 root     root            0 Jan 01 00:00 demo61
+ dr-xr-x---   1 root     root            0 Jan 01 00:00 migrationc
+ 226 Transfer complete.
+ ftp> ls
+ 227 Entering passive mode (192,168,1,100,64,255).
+ 125 Data connection already open. Transfer starting.
+ dr-xr-x---   1 root     root            0 Jan 01 00:00 blank60
+ dr-xr-x---   1 root     root            0 Jan 01 00:00 demo61
+ dr-xr-x---   1 root     root            0 Jan 01 00:00 migrationc
+ 226 Transfer complete.
+ ftp> ls
+ 227 Entering passive mode (192,168,1,100,173,241).
+ [freezes here]
+ 
+ The numbers after the passive mode message represent the IP address and
+ the port. Converting the last two numbers into a sixteen bit integer
+ gives the values 16384, 16639, and 44529. You can see that it uses the
+ two ports specified in the configuration file and then starts picking
+ ports at random.
+ 
+ This bug was originally found in the document module of OpenERP 5.0.12
+ on Ubuntu 10.04. It's now in the document_ftp module of OpenERP 6.1 on
+ Ubuntu 11.10.

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/627670

Title:
  FTP passive ports should be a range, not two separate ports

Status in OpenERP Addons (modules):
  Confirmed
Status in OpenERP Addons 5.0 series:
  Triaged
Status in OpenERP Addons trunk series:
  Confirmed

Bug description:
  The document_ftp module contains a configuration setting
  ftp_server_passive_ports that takes two numbers separated by a colon.
  This should be interpreted as a range of port numbers, but it is
  interpreted as two separate numbers.

  Background:
  When you install the document_ftp module, it uses 8022 as the main FTP connection port, and it will choose extra port numbers at random for FTP clients that use passive ports. These random port numbers cause problems with firewall rules, because you don't want to allow connections to all ports through the firewall.
  Luckily, there is a configuration setting called ftp_server_passive_ports that takes two numbers separated by a colon. This should be interpreted as a range of port numbers for the FTP server to use as passive ports, but it is interpreted as just two port numbers.
  For example: if I specify ftp_server_passive_ports=5000:5003, I expect the ports 5000, 5001, 5002, and 5003 to be used. Instead, only 5000 and 5003 are used.

  This is a problem because all the FTP clients I have tried open a new
  passive port for every request. This means that I can only make two
  requests before I run out of assigned passive ports, and the server
  starts using random ports that aren't allowed through the firewall.

  The fix is really easy, just use the range function to generate a list
  of all the port numbers to use. The only trick is to make sure that
  you include the end port in the range. I'll attach a merge proposal.

  Steps to reproduce:
  I'm running on Ubuntu 11.10, so the configuration commands may be slightly different on other systems.
  1. Install the document_ftp module on the OpenERP server, and add the following settings to the configuration file:
  ftp_server_host = 0.0.0.0
  ftp_server_port = 9022
  ftp_server_passive_ports = 16384:16639
  2. Restart the server and log in to a database through your regular client. The FTP server doesn't start up until the first log in request.
  3. Make sure the server's firewall is on and has most ports blocked. Allow TCP connections to port 9022 and the range 16384 to 16639. This is the command I used:
  sudo ufw allow proto tcp from any to any port 9022,16384:16639
  4. Check the server's IP address using ifconfig. For this example, we'll use 192.168.1.100.
  5. Go to another computer on your network and connect to the FTP service. Make sure your FTP client uses passive connections. This is the command I used:
  ftp -p 192.168.1.100 9022
  6. It should ask for your username and password. If not, you've got other connection problems. Enter your username and password.
  7. Enter the ls command three times. 

  Expected behaviour: Each ls command should display a list of your
  databases.

  Actual behaviour:
  ftp> ls
  227 Entering passive mode (192,168,1,100,64,0).
  125 Data connection already open. Transfer starting.
  dr-xr-x---   1 root     root            0 Jan 01 00:00 blank60
  dr-xr-x---   1 root     root            0 Jan 01 00:00 demo61
  dr-xr-x---   1 root     root            0 Jan 01 00:00 migrationc
  226 Transfer complete.
  ftp> ls
  227 Entering passive mode (192,168,1,100,64,255).
  125 Data connection already open. Transfer starting.
  dr-xr-x---   1 root     root            0 Jan 01 00:00 blank60
  dr-xr-x---   1 root     root            0 Jan 01 00:00 demo61
  dr-xr-x---   1 root     root            0 Jan 01 00:00 migrationc
  226 Transfer complete.
  ftp> ls
  227 Entering passive mode (192,168,1,100,173,241).
  [freezes here]

  The numbers after the passive mode message represent the IP address
  and the port. Converting the last two numbers into a sixteen bit
  integer gives the values 16384, 16639, and 44529. You can see that it
  uses the two ports specified in the configuration file and then starts
  picking ports at random.

  This bug was originally found in the document module of OpenERP 5.0.12
  on Ubuntu 10.04. It's now in the document_ftp module of OpenERP 6.1 on
  Ubuntu 11.10.

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/627670/+subscriptions