v2.43 versus v2.22: A REAL PROBLEM in NON PASSIVE MODE

Think you've found a bug? Post a description here.

Moderator: Serin

Post Reply
Gloumi
Posts: 2
Joined: Tue Mar 27, 2007 4:24 am

v2.43 versus v2.22: A REAL PROBLEM in NON PASSIVE MODE

Post by Gloumi » Tue Mar 27, 2007 5:22 am

Hello,

I have read many of the recent posts on this forum about the problems related to passive and none passive modes. I confirm there is a problem somewhere in CERBERUS v2.43 at least compared with CERBERUS v2.22.

Here are the facts that prove it :

- Cerberus v2.43 is installed on a windows 2003 server.
- Windows firewall : activated. Port 23 opened and routed on the machine itself
- No external firewall, no external blocking routeur : purely and direct on the internet
- I always use NON passive mode. One reason is that the ftp.exe command line FTP windows client does not handle passive mode
- I switched from v2.22 to v2.43 because v2.22 was, time to time consuming 99% of the machine time with no reasons
- since v2.43 it is IMPOSSIBLE to LIST any directory because of this ERROR : 425 Unable to open the data connection as shown in the copy of logs below
- back to v2.22, keeping the same config, without touching anything else on the server : no problems anymore
- additional information: when a FTP client is initiated on the server (to itself) in NON PASSIVE MODE, there is NO PROBLEM
- CONCLUSION : I think that when the author introduced some mods about passive mode, the NON PASSIVE MODE behaviour has been touched also.


MESSAGE TO THE AUTHOR : please accept the fact that there is something wrong this new CERBERUS 2.43 version.
Look at all the people who are experimenting same kind of problems: really, I am not alone
Thanks for you answers.

Gilles from Strasbourg

--- Log from v2.43 BELOW : ERROR 425 PROBLEM ---------------------------------------------------

Mar 27 11:06:27 0 Incoming connection request on interface 83.141.132.45
Mar 27 11:06:27 0 Connection request accepted from 83.141.XX.YY
Mar 27 11:06:27 0 USER essai
Mar 27 11:06:27 0 331 User essai, password please
Mar 27 11:06:27 0 PASS ***********
Mar 27 11:06:27 0 230 Password Ok, User logged in
Mar 27 11:06:27 0 SYST
Mar 27 11:06:27 0 215 UNIX Type: L8
Mar 27 11:06:27 0 FEAT
Mar 27 11:06:27 0 211- Additional features supported include: MDTM SIZE REST STREAM AUTH TLS AUTH SSL PBSZ PROT LANG EN* SITE CHMOD SITE PSWD 211 End
Mar 27 11:06:27 0 PWD
Mar 27 11:06:27 0 257 "/" is the current directory
Mar 27 11:06:27 0 TYPE A
Mar 27 11:06:27 0 200 Type ASCII
Mar 27 11:06:27 0 PORT 83,141,XX,YY,19,137
Mar 27 11:06:27 0 200 Port command received
Mar 27 11:06:27 0 LIST
Mar 27 11:06:28 0 Unable to connect : Aucune connexion n'a pu être établie car l'ordinateur cible l'a expressément refusée.
Mar 27 11:06:28 0 425 Unable to open the data connection
Mar 27 11:06:29 0 QUIT
Mar 27 11:06:29 0 Connection terminated.


--- Log from v2.22 BELOW : GOOD = NO PROBLEM ---------------------------------------------------
Same configuration than with v2.43
Tue Mar 27 11:03:07 2007 2 Incoming connection request on interface 83.141.XX.YY
Tue Mar 27 11:03:07 2007 2 Connection request accepted from 83.141.128.46
Tue Mar 27 11:03:07 2007 2 USER essai
Tue Mar 27 11:03:07 2007 2 PASS ***********
Tue Mar 27 11:03:07 2007 2 SYST
Tue Mar 27 11:03:07 2007 2 FEAT
Tue Mar 27 11:03:07 2007 2 PWD
Tue Mar 27 11:03:07 2007 2 TYPE A
Tue Mar 27 11:03:07 2007 2 PORT 83,141,XX,YY,19,138
Tue Mar 27 11:03:07 2007 2 LIST
Tue Mar 27 11:03:07 2007 2 Data connection established
Tue Mar 27 11:03:07 2007 2 The data connection was closed by the remote socket
Tue Mar 27 11:03:10 2007 2 QUIT

mdj
Moderator
Posts: 656
Joined: Mon Aug 18, 2003 4:00 am
Location: Denmark
Contact:

Post by mdj » Tue Mar 27, 2007 7:22 am

I just tested the same scenario, and I can confirm it, I see the exact same problem - plus another one:

[2007-03-27 13:01:16]:CONNECT [ 10] - Incoming connection request on interface 192.168.1.100
[2007-03-27 13:01:16]:CONNECT [ 10] - Connection request accepted from A.B.C.D
[2007-03-27 13:01:19]:COMMAND [ 10] - USER mdj
[2007-03-27 13:01:19]: REPLY [ 10] - 331 User mdj, password please
[2007-03-27 13:01:21]:COMMAND [ 10] - PASS ***********
[2007-03-27 13:01:21]: REPLY [ 10] - 230 Password Ok, User logged in
:
[2007-03-27 13:01:24]:COMMAND [ 10] - PORT A,B,C,D,65,5
[2007-03-27 13:01:24]: ERROR [ 10] - Data request is not for client and server-to-server transfers are disabled
[2007-03-27 13:01:24]: REPLY [ 10] - 500 Port command invalid
[2007-03-27 13:01:24]:COMMAND [ 10] - LIST
[2007-03-27 13:01:45]: ERROR [ 10] - Unable to connect : A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
[2007-03-27 13:01:45]: REPLY [ 10] - 425 Unable to open the data connection
[2007-03-27 13:02:29]:COMMAND [ 10] - LIST
[2007-03-27 13:02:50]: ERROR [ 10] - Unable to connect : A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
[2007-03-27 13:02:50]: REPLY [ 10] - 425 Unable to open the data connection

- and I double-, triple-, and quadruple-checked that the ips (A.B.C.D) where the same. When I unticked "Deny FXP transfers", I saw a log identical to the one reported by Gloumi. I tried to fire up tcpview, and when the data connection were supposed to be created by Cerberus, I saw a port 20 LISTENING instead of sending a syn... Didn't try wireshark, don't think it will have anything to add.
Morten Due Jørgensen
http://www.mdjnet.dk

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Tue Mar 27, 2007 10:47 pm

Thanks guys, I believe you. I was looking to release a new version tonight, but I will hold off until I get these issues corrected.

I really made a mistake releasing this version in such a hurry. It contained a major change to how IP addresses are stored internally and how the socket connections are setup(to support IPv6), and the resulting change has caused all sorts of issues. I normally would never have released something like this without more testing and a BETA period, but I wanted to resolve a major install problem on Windows 2000. Normally, I would have worked off of the stable 2.42 baseline, but due to CM issues on my end, 2.42 wasn't properly baselined. I had to work off of the latest source tree. Everything seemed fine with my normal testing. Currently, I don't see the same issues you are seeing with active mode, but I have an idea where the problem might be. I'd be curious to know if you guys are running any firewalls on your machines.

I'm working to get these issues resolved as soon as possible (this week). In the meantime, I am posting version 2.42 back on for anyone experiencing problems and not running Windows 2000.

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Post by Serin » Tue Mar 27, 2007 11:15 pm

Ok, I think I've definitely found the problem (and the reason for the DenyFXP problem). The ip address specified by the PORT command isn't getting saved properly (actually, it's not getting saved at all), and Cerberus FTP Server is trying to connect to a "" (blank) address. I'm not even sure why it works when I test local connections on the same machine.

Gloumi
Posts: 2
Joined: Tue Mar 27, 2007 4:24 am

2.44 has solved the bug !

Post by Gloumi » Wed Mar 28, 2007 4:03 pm

Thanx a lot,
Gilles
Strasbourg
France

Post Reply