Article delegate-en/3542 (06Oct09) Re: ftp to ftp gateway +(optional TLS)

Article delegate-en/3542 of [1-4224] on the server localhost:7119
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3521@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en
[DeleGate-En] Re: ftp to ftp gateway +(optional TLS)
09 Oct 2006 13:01:58 GMT Steve Brown <ps4gabdyi-mxhgu47yz33w.ml@delegate.org>
Hi Yutaka,

Yutaka Sato wrote:
> It can be done like a usual FTP proxy with STLS=-fsv as follows:
> 
>   delegated -P21 SERVER=ftp STLS=-fsv

I'm experiencing odd things when I use Delegate to act as a TLS FTP
gateway like you kindly described.

Essentially, a non-TLS capable client when connecting via Delegate to a
TLS capable server experiences 'connection refused' type error messages.
I've attached a (sanitised) log which maybe helpful.

>From an initial look it appears that delegate is attempting to open the
data port at (controlport-2) instead of (controlport-1).

There is a firewall between Delegate and the local FTP server. Some
external FTP sites work ok, others do not. Would you be able to suggest
how best to start debugging this?

Delegate is started with this:

#!/bin/bash
~delegate/delegated -P21 SERVER=ftp STLS=-fsv CACHE=no\
 AUTH="anonftp:*:*" \
 OWNER='delegate/delegate' \
 DGROOT='/home/delegate/ftp' \
 LOGDIR='logs' \
 LOGFILE='[date+%Y-%m.ftp]' \
 PROTOLOG='xferlog.[date+%Y-%m.ftp]' \
 WORKDIR='work' \
 CACHEDIR='cache' \
 MAXIMA='listen:64' \
 PERMIT="ftp:*:*"


10/05 16:49:41.10 [3321] 72+0: -- Fork(OnetimeServer): 18523 -> 3321
10/05 16:49:41.16 [3321] 72+0: (4) accepted [26] -@[192.168.90.52]192.168.90.52:4240 (0.058s)(1)
10/05 16:49:41.16 [3321] 72+0: PATH: ftp://-:21!medina.domain.com:21!192.168.90.52:4240!anonymous@192.168.90.52;1160063381
10/05 16:49:41.17 [3321] 72+0: FTP server ftp://-:21/
10/05 16:49:41.17 [3321] 72+0: *** / => file://localhost/-stab-/ ***
10/05 16:49:41.17 [3321] 72+0: MOUNTED-TO-STAB: file://localhost/-stab-/
10/05 16:49:41.17 [3321] 72+0: -- putBuiltinHTML: empty ftp-banner-postfix.dhtml
10/05 16:49:41.17 [3321] 72+0: bind_insock(23,192.168.20.17,0) = 0, errno=0
10/05 16:49:41.17 [3321] 72+0: ## connect[23] TIMEOUT(1000)
10/05 16:49:41.17 [3321] 72+0: ### IDENT CONNECT(192.168.90.52:113) TIMEOUT(1000ms) (110)
10/05 16:49:41.17 [3321] 72+0: #### no authorization required
10/05 16:49:41.27 [3321] 72+0/1: FTP LOGIN FROM 192.168.90.52 TO ntf@domain..
10/05 16:49:41.27 [3321] 72+0/1: rewritten to: CWD //ntf@domain..^M
10/05 16:49:41.28 [3321] 72+0/2: FTP LOGIN FROM 192.168.90.52 TO ntf@domain..
10/05 16:49:41.28 [3321] 72+0/2: PATH: ftp://ftp.domain.com:21!medina.domain.com:21!192.168.90.52:4240!anonymous@192.168.90.52;1160063381
10/05 16:49:41.29 [3321] 72+0/2: FTP server ftp://ftp.domain.com:21/
10/05 16:49:41.29 [3321] 72+0/2: FTPHOPS: 1 [13/26 - -1/-1]
10/05 16:49:41.29 [3321] 72+0/2: ConnectToServer: DFLT=ftp://ftp.domain.com:21 REAL=://:0
10/05 16:49:41.29 [3321] 72+0/2: ConnectToServer connected [24] {192.168.6.14:21 <- 192.168.20.17:2882} [0.001s]
10/05 16:49:41.29 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
10/05 16:49:41.29 [3321] 72+0/2: inherited AsProxy: 10010
10/05 16:49:41.33 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
10/05 16:49:41.33 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
10/05 16:49:41.33 [3322] 72+0/2: -- Fork(FSV): 3321 -> 3322
10/05 16:49:41.34 [3322] 72+0/2: ## SSLway loadSession 0.000862 (1 0) / 23
10/05 16:49:41.43 [3322] 72+0/2: ## SSLway ## 0.102910 sescache[23] HIT=0 sR=0 cR=0
10/05 16:49:41.43 [3322] 72+0/2: ## SSLway server's cert. = **subject<</C=GB/ST= [snip] /CN=ftp.domain.com [snip]
10/05 16:49:41.55 [3321] 72+0/2: LoginPWD: "/ntf"
10/05 16:49:41.78 [3321] 72+0/6/4: FTP-control-remote: 192.168.20.17:21 [26]
10/05 16:49:41.78 [3321] 72+0/6/4: FTP-data-local[27]: 192.168.20.17:2883
10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPASV]: fileno(ts)=24 ToSX=25
10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPASV]: fileno(ts)=24 ToSX=25
10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: connection refused 192.168.20.17:2881->ftp.domain.com/192.168.6.14:44633, errno=111
10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: retry without port# (2881)
10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: connection refused 192.168.20.17:2884->ftp.domain.com/192.168.6.14:44633, errno=111
10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPORT]: fileno(ts)=24 ToSX=25
10/05 16:49:41.78 [3321] 72+0/6/4: FTP-control-remote: 192.168.6.14:21 [25]
10/05 16:49:41.78 [3321] 72+0/6/4: FTP-data-local[28]: 192.168.20.17:2885
10/05 16:49:41.78 [3321] 72+0/6/4: PASV [C][192,168,20,17,11,67] >> 227 Entering Passive Mode (192,168,20,17,11,67).^M10/05 16:49:41.10 [3321] 72+0: -- Fork(OnetimeServer): 18523 -> 3321
10/05 16:49:41.16 [3321] 72+0: (4) accepted [26] -@[192.168.90.52]192.168.90.52:4240 (0.058s)(1)
10/05 16:49:41.16 [3321] 72+0: PATH: ftp://-:21!medina.domain.com:21!192.168.90.52:4240!anonymous@192.168.90.52;1160063381
10/05 16:49:41.17 [3321] 72+0: FTP server ftp://-:21/
10/05 16:49:41.17 [3321] 72+0: *** / => file://localhost/-stab-/ ***
10/05 16:49:41.17 [3321] 72+0: MOUNTED-TO-STAB: file://localhost/-stab-/
10/05 16:49:41.17 [3321] 72+0: -- putBuiltinHTML: empty ftp-banner-postfix.dhtml
10/05 16:49:41.17 [3321] 72+0: bind_insock(23,192.168.20.17,0) = 0, errno=0
10/05 16:49:41.17 [3321] 72+0: ## connect[23] TIMEOUT(1000)
10/05 16:49:41.17 [3321] 72+0: ### IDENT CONNECT(192.168.90.52:113) TIMEOUT(1000ms) (110)
10/05 16:49:41.17 [3321] 72+0: #### no authorization required
10/05 16:49:41.27 [3321] 72+0/1: FTP LOGIN FROM 192.168.90.52 TO ntf@domain..
10/05 16:49:41.27 [3321] 72+0/1: rewritten to: CWD //ntf@domain..^M
10/05 16:49:41.28 [3321] 72+0/2: FTP LOGIN FROM 192.168.90.52 TO ntf@domain..
10/05 16:49:41.28 [3321] 72+0/2: PATH: ftp://ftp.domain.com:21!medina.domain.com:21!192.168.90.52:4240!anonymous@192.168.90.52;1160063381
10/05 16:49:41.29 [3321] 72+0/2: FTP server ftp://ftp.domain.com:21/
10/05 16:49:41.29 [3321] 72+0/2: FTPHOPS: 1 [13/26 - -1/-1]
10/05 16:49:41.29 [3321] 72+0/2: ConnectToServer: DFLT=ftp://ftp.domain.com:21 REAL=://:0
10/05 16:49:41.29 [3321] 72+0/2: ConnectToServer connected [24] {192.168.6.14:21 <- 192.168.20.17:2882} [0.001s]
10/05 16:49:41.29 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
10/05 16:49:41.29 [3321] 72+0/2: inherited AsProxy: 10010
10/05 16:49:41.33 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
10/05 16:49:41.33 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
10/05 16:49:41.33 [3322] 72+0/2: -- Fork(FSV): 3321 -> 3322
10/05 16:49:41.34 [3322] 72+0/2: ## SSLway loadSession 0.000862 (1 0) / 23
10/05 16:49:41.43 [3322] 72+0/2: ## SSLway ## 0.102910 sescache[23] HIT=0 sR=0 cR=0
10/05 16:49:41.43 [3322] 72+0/2: ## SSLway server's cert. = **subject<</C=GB/ST= [snip] /CN=ftp.domain.com [snip] 
10/05 16:49:41.55 [3321] 72+0/2: LoginPWD: "/ntf"
10/05 16:49:41.78 [3321] 72+0/6/4: FTP-control-remote: 192.168.20.17:21 [26]
10/05 16:49:41.78 [3321] 72+0/6/4: FTP-data-local[27]: 192.168.20.17:2883
10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPASV]: fileno(ts)=24 ToSX=25
10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPASV]: fileno(ts)=24 ToSX=25
10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: connection refused 192.168.20.17:2881->ftp.domain.com/192.168.6.14:44633, errno=111
10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: retry without port# (2881)
10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: connection refused 192.168.20.17:2884->ftp.domain.com/192.168.6.14:44633, errno=111
10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPORT]: fileno(ts)=24 ToSX=25
10/05 16:49:41.78 [3321] 72+0/6/4: FTP-control-remote: 192.168.6.14:21 [25]
10/05 16:49:41.78 [3321] 72+0/6/4: FTP-data-local[28]: 192.168.20.17:2885
10/05 16:49:41.78 [3321] 72+0/6/4: PASV [C][192,168,20,17,11,67] >> 227 Entering Passive Mode (192,168,20,17,11,67).^M
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]