openerp-india team mailing list archive
-
openerp-india team
-
Mailing list archive
-
Message #13829
[Bug 627670] Re: FTP passive ports should be a range, not two separate ports
It's been almost two years since I requested this one-line change to
make the FTP server usable through a firewall.
Today I have updated the bug description to more clearly describe the
problem and the steps to reproduce. I have also created a new merge
proposal targeted at the 6.1 branch.
Any chance this could get merged? Does nobody else use the FTP server
feature?
--
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/627670
Title:
FTP passive ports should be a range, not two separate ports
Status in OpenERP Addons (modules):
Confirmed
Status in OpenERP Addons 5.0 series:
Triaged
Status in OpenERP Addons trunk series:
Confirmed
Bug description:
The document_ftp module contains a configuration setting
ftp_server_passive_ports that takes two numbers separated by a colon.
This should be interpreted as a range of port numbers, but it is
interpreted as two separate numbers.
Background:
When you install the document_ftp module, it uses 8022 as the main FTP connection port, and it will choose extra port numbers at random for FTP clients that use passive ports. These random port numbers cause problems with firewall rules, because you don't want to allow connections to all ports through the firewall.
Luckily, there is a configuration setting called ftp_server_passive_ports that takes two numbers separated by a colon. This should be interpreted as a range of port numbers for the FTP server to use as passive ports, but it is interpreted as just two port numbers.
For example: if I specify ftp_server_passive_ports=5000:5003, I expect the ports 5000, 5001, 5002, and 5003 to be used. Instead, only 5000 and 5003 are used.
This is a problem because all the FTP clients I have tried open a new
passive port for every request. This means that I can only make two
requests before I run out of assigned passive ports, and the server
starts using random ports that aren't allowed through the firewall.
The fix is really easy, just use the range function to generate a list
of all the port numbers to use. The only trick is to make sure that
you include the end port in the range. I'll attach a merge proposal.
Steps to reproduce:
I'm running on Ubuntu 11.10, so the configuration commands may be slightly different on other systems.
1. Install the document_ftp module on the OpenERP server, and add the following settings to the configuration file:
ftp_server_host = 0.0.0.0
ftp_server_port = 9022
ftp_server_passive_ports = 16384:16639
2. Restart the server and log in to a database through your regular client. The FTP server doesn't start up until the first log in request.
3. Make sure the server's firewall is on and has most ports blocked. Allow TCP connections to port 9022 and the range 16384 to 16639. This is the command I used:
sudo ufw allow proto tcp from any to any port 9022,16384:16639
4. Check the server's IP address using ifconfig. For this example, we'll use 192.168.1.100.
5. Go to another computer on your network and connect to the FTP service. Make sure your FTP client uses passive connections. This is the command I used:
ftp -p 192.168.1.100 9022
6. It should ask for your username and password. If not, you've got other connection problems. Enter your username and password.
7. Enter the ls command three times.
Expected behaviour: Each ls command should display a list of your
databases.
Actual behaviour:
ftp> ls
227 Entering passive mode (192,168,1,100,64,0).
125 Data connection already open. Transfer starting.
dr-xr-x--- 1 root root 0 Jan 01 00:00 blank60
dr-xr-x--- 1 root root 0 Jan 01 00:00 demo61
dr-xr-x--- 1 root root 0 Jan 01 00:00 migrationc
226 Transfer complete.
ftp> ls
227 Entering passive mode (192,168,1,100,64,255).
125 Data connection already open. Transfer starting.
dr-xr-x--- 1 root root 0 Jan 01 00:00 blank60
dr-xr-x--- 1 root root 0 Jan 01 00:00 demo61
dr-xr-x--- 1 root root 0 Jan 01 00:00 migrationc
226 Transfer complete.
ftp> ls
227 Entering passive mode (192,168,1,100,173,241).
[freezes here]
The numbers after the passive mode message represent the IP address
and the port. Converting the last two numbers into a sixteen bit
integer gives the values 16384, 16639, and 44529. You can see that it
uses the two ports specified in the configuration file and then starts
picking ports at random.
This bug was originally found in the document module of OpenERP 5.0.12
on Ubuntu 10.04. It's now in the document_ftp module of OpenERP 6.1 on
Ubuntu 11.10.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/627670/+subscriptions