Article delegate-en/3543 (06Oct10) Re: ftp to ftp gateway +(optional TLS)

Article delegate-en/3543 of [1-4224] on the server localhost:7119
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3542@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en
[DeleGate-En] Re: ftp to ftp gateway +(optional TLS)
09 Oct 2006 15:12:00 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project
Hi,

In message <_A3542@delegate-en.ML_> on 10/09/06(22:01:26)
you Steve Brown <ps4gabdyi-mxhgu422qh3w.ml@delegate.org> wrote:
 |> It can be done like a usual FTP proxy with STLS=-fsv as follows:
 |> 
 |>   delegated -P21 SERVER=ftp STLS=-fsv
 |
 |I'm experiencing odd things when I use Delegate to act as a TLS FTP
 |gateway like you kindly described.
 |
 |Essentially, a non-TLS capable client when connecting via Delegate to a
 |TLS capable server experiences 'connection refused' type error messages.
 |I've attached a (sanitised) log which maybe helpful.
 |
 |>From an initial look it appears that delegate is attempting to open the
 |data port at (controlport-2) instead of (controlport-1).

What is this "controlport-2" and "controlport-2" ?

 |There is a firewall between Delegate and the local FTP server. Some
 |external FTP sites work ok, others do not. Would you be able to suggest
 |how best to start debugging this?

Seeing what the difference is between the case of the failure and the
success will be helpful.


 |Delegate is started with this:
 |
 |#!/bin/bash
 |~delegate/delegated -P21 SERVER=ftp STLS=-fsv CACHE=no\
 | AUTH="anonftp:*:*" \
 | OWNER='delegate/delegate' \
 | DGROOT='/home/delegate/ftp' \
 | LOGDIR='logs' \
 | LOGFILE='[date+%Y-%m.ftp]' \
 | PROTOLOG='xferlog.[date+%Y-%m.ftp]' \
 | WORKDIR='work' \
 | CACHEDIR='cache' \
 | MAXIMA='listen:64' \
 | PERMIT="ftp:*:*"
 |
 |
 |--------------060409070004060805020800
 |Content-Type: text/plain;
 | name="log"
 |Content-Transfer-Encoding: 7bit
 |Content-Disposition: inline;
 | filename="log"
 |
 |10/05 16:49:41.10 [3321] 72+0: -- Fork(OnetimeServer): 18523 -> 3321
 |10/05 16:49:41.16 [3321] 72+0: (4) accepted [26] -@[192.168.90.52]192.168.90.52:4240 (0.058s)(1)
 |10/05 16:49:41.16 [3321] 72+0: PATH: ftp://-:21!medina.domain.com:21!192.168.90.52:4240!anonymous@192.168.90.52;1160063381
 |10/05 16:49:41.17 [3321] 72+0: FTP server ftp://-:21/
 |10/05 16:49:41.17 [3321] 72+0: *** / => file://localhost/-stab-/ ***
 |10/05 16:49:41.17 [3321] 72+0: MOUNTED-TO-STAB: file://localhost/-stab-/
 |10/05 16:49:41.17 [3321] 72+0: -- putBuiltinHTML: empty ftp-banner-postfix.dhtml
 |10/05 16:49:41.17 [3321] 72+0: bind_insock(23,192.168.20.17,0) = 0, errno=0
 |10/05 16:49:41.17 [3321] 72+0: ## connect[23] TIMEOUT(1000)
 |10/05 16:49:41.17 [3321] 72+0: ### IDENT CONNECT(192.168.90.52:113) TIMEOUT(1000ms) (110)
 |10/05 16:49:41.17 [3321] 72+0: #### no authorization required
 |10/05 16:49:41.27 [3321] 72+0/1: FTP LOGIN FROM 192.168.90.52 TO ntf@domain..
 |10/05 16:49:41.27 [3321] 72+0/1: rewritten to: CWD //ntf@domain..^M
 |10/05 16:49:41.28 [3321] 72+0/2: FTP LOGIN FROM 192.168.90.52 TO ntf@domain..
 |10/05 16:49:41.28 [3321] 72+0/2: PATH: ftp://ftp.domain.com:21!medina.domain.com:21!192.168.90.52:4240!anonymous@192.168.90.52;1160063381
 |10/05 16:49:41.29 [3321] 72+0/2: FTP server ftp://ftp.domain.com:21/
 |10/05 16:49:41.29 [3321] 72+0/2: FTPHOPS: 1 [13/26 - -1/-1]
 |10/05 16:49:41.29 [3321] 72+0/2: ConnectToServer: DFLT=ftp://ftp.domain.com:21 REAL=://:0
 |10/05 16:49:41.29 [3321] 72+0/2: ConnectToServer connected [24] {192.168.6.14:21 <- 192.168.20.17:2882} [0.001s]
 |10/05 16:49:41.29 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
 |10/05 16:49:41.29 [3321] 72+0/2: inherited AsProxy: 10010
 |10/05 16:49:41.33 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
 |10/05 16:49:41.33 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
 |10/05 16:49:41.33 [3322] 72+0/2: -- Fork(FSV): 3321 -> 3322
 |10/05 16:49:41.34 [3322] 72+0/2: ## SSLway loadSession 0.000862 (1 0) / 23
 |10/05 16:49:41.43 [3322] 72+0/2: ## SSLway ## 0.102910 sescache[23] HIT=0 sR=0 cR=0
 |10/05 16:49:41.43 [3322] 72+0/2: ## SSLway server's cert. = **subject<</C=GB/ST= [snip] /CN=ftp.domain.com [snip]
 |10/05 16:49:41.55 [3321] 72+0/2: LoginPWD: "/ntf"
 |10/05 16:49:41.78 [3321] 72+0/6/4: FTP-control-remote: 192.168.20.17:21 [26]
 |10/05 16:49:41.78 [3321] 72+0/6/4: FTP-data-local[27]: 192.168.20.17:2883
 |10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPASV]: fileno(ts)=24 ToSX=25
 |10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPASV]: fileno(ts)=24 ToSX=25
 |10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: connection refused 192.168.20.17:2881->ftp.domain.com/192.168.6.14:44633, errno=111
 |10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: retry without port# (2881)
 |10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: connection refused 192.168.20.17:2884->ftp.domain.com/192.168.6.14:44633, errno=111
 |10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPORT]: fileno(ts)=24 ToSX=25
 |10/05 16:49:41.78 [3321] 72+0/6/4: FTP-control-remote: 192.168.6.14:21 [25]
 |10/05 16:49:41.78 [3321] 72+0/6/4: FTP-data-local[28]: 192.168.20.17:2885
 |10/05 16:49:41.78 [3321] 72+0/6/4: PASV [C][192,168,20,17,11,67] >> 227 Entering Passive Mode (192,168,20,17,11,67).^M10/05 16:49:41.10 [3321] 72+0: -- Fork(OnetimeServer): 18523 -> 3321
 |10/05 16:49:41.16 [3321] 72+0: (4) accepted [26] -@[192.168.90.52]192.168.90.52:4240 (0.058s)(1)
 |10/05 16:49:41.16 [3321] 72+0: PATH: ftp://-:21!medina.domain.com:21!192.168.90.52:4240!anonymous@192.168.90.52;1160063381
 |10/05 16:49:41.17 [3321] 72+0: FTP server ftp://-:21/
 |10/05 16:49:41.17 [3321] 72+0: *** / => file://localhost/-stab-/ ***
 |10/05 16:49:41.17 [3321] 72+0: MOUNTED-TO-STAB: file://localhost/-stab-/
 |10/05 16:49:41.17 [3321] 72+0: -- putBuiltinHTML: empty ftp-banner-postfix.dhtml
 |10/05 16:49:41.17 [3321] 72+0: bind_insock(23,192.168.20.17,0) = 0, errno=0
 |10/05 16:49:41.17 [3321] 72+0: ## connect[23] TIMEOUT(1000)
 |10/05 16:49:41.17 [3321] 72+0: ### IDENT CONNECT(192.168.90.52:113) TIMEOUT(1000ms) (110)
 |10/05 16:49:41.17 [3321] 72+0: #### no authorization required
 |10/05 16:49:41.27 [3321] 72+0/1: FTP LOGIN FROM 192.168.90.52 TO ntf@domain..
 |10/05 16:49:41.27 [3321] 72+0/1: rewritten to: CWD //ntf@domain..^M
 |10/05 16:49:41.28 [3321] 72+0/2: FTP LOGIN FROM 192.168.90.52 TO ntf@domain..
 |10/05 16:49:41.28 [3321] 72+0/2: PATH: ftp://ftp.domain.com:21!medina.domain.com:21!192.168.90.52:4240!anonymous@192.168.90.52;1160063381
 |10/05 16:49:41.29 [3321] 72+0/2: FTP server ftp://ftp.domain.com:21/
 |10/05 16:49:41.29 [3321] 72+0/2: FTPHOPS: 1 [13/26 - -1/-1]
 |10/05 16:49:41.29 [3321] 72+0/2: ConnectToServer: DFLT=ftp://ftp.domain.com:21 REAL=://:0
 |10/05 16:49:41.29 [3321] 72+0/2: ConnectToServer connected [24] {192.168.6.14:21 <- 192.168.20.17:2882} [0.001s]
 |10/05 16:49:41.29 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
 |10/05 16:49:41.29 [3321] 72+0/2: inherited AsProxy: 10010
 |10/05 16:49:41.33 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
 |10/05 16:49:41.33 [3321] 72+0/2: willSTLS_SV: ServerFlags=70
 |10/05 16:49:41.33 [3322] 72+0/2: -- Fork(FSV): 3321 -> 3322
 |10/05 16:49:41.34 [3322] 72+0/2: ## SSLway loadSession 0.000862 (1 0) / 23
 |10/05 16:49:41.43 [3322] 72+0/2: ## SSLway ## 0.102910 sescache[23] HIT=0 sR=0 cR=0
 |10/05 16:49:41.43 [3322] 72+0/2: ## SSLway server's cert. = **subject<</C=GB/ST= [snip] /CN=ftp.domain.com [snip] 
 |10/05 16:49:41.55 [3321] 72+0/2: LoginPWD: "/ntf"
 |10/05 16:49:41.78 [3321] 72+0/6/4: FTP-control-remote: 192.168.20.17:21 [26]
 |10/05 16:49:41.78 [3321] 72+0/6/4: FTP-data-local[27]: 192.168.20.17:2883
 |10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPASV]: fileno(ts)=24 ToSX=25
 |10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPASV]: fileno(ts)=24 ToSX=25
 |10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: connection refused 192.168.20.17:2881->ftp.domain.com/192.168.6.14:44633, errno=111
 |10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: retry without port# (2881)
 |10/05 16:49:41.78 [3321] 72+0/6/4: ftp_conndata: connection refused 192.168.20.17:2884->ftp.domain.com/192.168.6.14:44633, errno=111
 |10/05 16:49:41.78 [3321] 72+0/6/4: ## viaCFI [mkPORT]: fileno(ts)=24 ToSX=25
 |10/05 16:49:41.78 [3321] 72+0/6/4: FTP-control-remote: 192.168.6.14:21 [25]
 |10/05 16:49:41.78 [3321] 72+0/6/4: FTP-data-local[28]: 192.168.20.17:2885
 |10/05 16:49:41.78 [3321] 72+0/6/4: PASV [C][192,168,20,17,11,67] >> 227 Entering Passive Mode (192,168,20,17,11,67).^M

Cheers,
Yutaka
--
  9 9   Yutaka Sato <pfqcabdyi-mxhgu422qh3w.ml@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]