How to use FTP
From OpenFSG
 |
Please help improve this article by expanding it.
Further information might be found on the talk page. |
|
FTP Basics
An FTP connection between an FTP-Server and an FTP-Client is normally used for transferring files and folders. There are many different servers and clients available. The FTP Server Software used on the FSG is called vsFTPd and is OpenSource. So you can find a lot of documentation about configuring vsFTPd.
An FTP connection always needs a pair of ports, one for transferring the commands (Control Channel) and the other for data (Data Channel). The typical Port for the Control Channel is port 21 at FTP Server and FTP Client. It is also possible to configure the server to listen at another port (see FTP security). The Data Channel Port depends on the connection mode which results on the agreement between server and client. There are two modes: Active FTP and Passive FTP.
Active FTP
- The FTP Client connects to the Control Channel Port of the FTP Server ( normally port 21 ).
- The client opens a local port for Data Channel and tells this to the server via the PORT-Command.
- The server opens the Data Channel Connection from server port 20 to the port of the client.
The Active FTP often fails, because the client is behind a firewall and/or behind a router, which is not configured for incoming connections. So the server isn't able to open the Data Channel and the connection fails with a timeout (mostly when the client expects to receive the directory list with the LIST-Command).
IF the FTP Server is behind a firewall and/or behind a router the firewall/router has to allow incoming and outgoing connections on the Control Channel Port ( normally port 21 ) and outgoing connections on the Data Channel Port ( Port 20 ).
Pasive FTP
- The FTP Client connects to the Control Channel Port of the FTP Server ( normally port 21 ).
- The server opens a local port for Data Channel and tells this to the client via the PORT-Command.
- The client opens the Data Channel Connection on a random port towards the same port at the server.
This is most common FTP mode, because it works also without configuring the firewall and router on client side. ( Firewalls and routers normally allow connections which are initiated by the client at the local network. )
But it is necessary to configure the firewall and/or the router in front of the FTP Server for allowing incoming connections on Control Channel Port ( normally port 21 ) and incoming connections on a random Data Channel Port.
Random Data Channel Port
Using a random port with the Data Channel Connections needs a setting of an IP range with high ports (higher than 1024). The most FTP Clients ( Active FTP ) and FTP Servers ( Passive FTP ) allow you to define a Port Range. If the client or server opens a Data Channel Connection, then a random port from the port range will be used.
If you use a port range, it is much easier to configure your firewall and router, because you only have to allow incoming connections within this range.
IP Problem
If your server ( or client ) is located behind a router, it only knows the IP of the local network ( internal IP ) and not the public IP at the Internet ( external IP ). In case you use an FTP connection with correct settings and without any encryption to your FTP server, which is behind a router, you normally will not have any problems, because your router translates all internal IPs to external IPs and the other way around ( see documentations about NAT - Network Address Translation ).
But the router is not able to translate the Data Channel IP and Port if you use any encryption like SSL or TLS. So the client receives the wrong IP ( internal IP of the server ) with the PORT-Command. The client tries to connect to this IP which fails with a timeout error. vsFTPd allows you to setup an IP which will be replied by the server ( look for "pasv_adress" ). So you can tell your FTP Server your external address and your connection will also work with encryption.
Problems with vsFTPd-Version <= 2.0.6
If you like to use your FTP Server with SSL/TLS encryption and a relatively new FTP Client like FileZilla 3.1.x or greater you'll get this error message:
Could not read from transfer socket: ECONNABORTED - Connection aborted
That is why the vsFTPd Servers ( version <= 2.0.6 ) don't make an orderly SSL/TLS shutdown. Newer FTP Clients don't allow such a bad SSL/TLS interruption and close the connection with an error, because of security risks. The solution for this problem is:
- get a vsFTPd Server with a version greater than 2.0.6
or
- use an old FTP Client ( e.g. FileZilla <= 3.0.11.1 ) and live with the security risk
Setup FTP Server
FTP without encryption
- Go to "Services"->"FTP server" at the Freecom Web-Interface.
- Select "Run FTP server" to activate the service.
- Select "open FTP server for the outside" if you would like to make the FTP server available on the WAN-Port.
- Configure your Router and your Firewall.
- Create users with the Freecom Web-Interface. The users that have access to the ftp-server are the same users that are defined on the FSG.
- Create directories with the Freecom Web-Interface. The FTP servers home is the /home directory on your FSG. The user that logs in will only see the directories he or she is entitled to. To change the directories that anyone can see go to "Folders" and change the permitted users or groups.
Advanced vsFTPd configuration
The vsFTPd Server allow you to setup a lot of properties by using the configuration file ( /etc/vsftpd.conf ). So you are able to run a professional FTP Server on your FSG. But the Web-Interface from Freecom don't support advanced FTP setups. Therefore you have to login via SSH and edit this file manually. If you are able to use the Linux Shell you can use "vi" as editor, but if you like it easy and with a little GUI, you can install Midnight Commander ( mc ).
It is very important always to know the name and effect of the property, you like to edit. To inform you, you can use the man page or one of the many HowTos. You'll find some links at the bottom of this page. If you don't find a property at the configure file simply create it at a new line.
To apply your new properties after editing the vsftpd.conf you have to restart your FTP Server
/etc/init.d/ftp stop /etc/init.d/ftp start
To test your FTP Server you should use an FTP Client, which supports the whole FTP Protocol, because software with an integrated FTP Client often only supports a part of the protocol and connections could fail, even though you have a correct setup.
If you like to do your advanced FTP configuration with an easy GUI you can install FSG Free Web-Interface, thats allow you edit most of vsFTPd properties only by some clicks.
FTP with SSL/TLS encryption
Directly connected to the Internet
If your FSG is connected to the Internet directly it is pretty easy to use your FTP Server with SSL or TLS encryption. Only follow the instructions of "FTP without encryption" and select "enable SSL" at the Freecom Web-Interface.
FSG behind a router / firewall
As you can read in "FTP Basics" it is not so easy if your FTP Server is behind a router and/or firewall. Here you have to edit your configuration file ( see Advanced vsFTPd configuration ) and configure your router and/or firewall.
Setup your vsFTPd Server ( edit vsftpd.conf )
- define a port range ( e.g. 50000-55000 )
pasv_min_port=50000 pasv_max_port=55000
- enable SSL encryption
ssl_enable=YES ssl_sslv1=YES ssl_sslv2=YES ssl_sslv3=YES ssl_tlsv1=YES
- set your external IP
pasv_address=xxx.xxx.xxx.xxx
If you like to force SSL encryption:
force_local_data_ssl=YES force_local_logins_ssl=YES
- restart your FTP Server
/etc/init.d/ftp stop /etc/init.d/ftp start
Configure your router/firewall
- Forward Ports from router to FSG
Port 20 from router to FSG Wan Port 21 from router to FSG Wan Port range from router to FSG Wan ( e.g. 50000-55000 as you have defined in vsftpd.conf )
- Configure a firewall
Allow incoming / outgoing connects on port 20 Allow incoming / outgoing connects on port 21 Allow incoming / outgoing connects for whole port range
Now all kinds of FTP connections ( Active / Pasive / with and without encryption ) should work. Depending on your vsFTPd version and on your selected port range it could be necessary to configure the FSG firewall, called IPTables. For further information you can look into the man page
FTP (also with SSL or TLS) over SSH
Here I like to explain, how to use an SSH-Tunnel to connect with your FTP. To understand how an SSH tunnel works, you can read Advanced SSH usage or look at man page or one of the howtos.
- Login in at the admin page of your FSG.
- Go to “Services” and choose “SSH Server”
- Enable "Run SSH server" and "Open SSH server to the outside through the WAN port"
- Go to “Services” and choose “FTP Server”
- Enable "Run FTP server" (and "Use SSL encryption" if you like to use SSL or TLS, but it is not necessary)
- Now, open PUTTY
- Go to “Connection/SSH/Tunnels” and choose a port (for expample 6666)
- Enable "Dynamic" and "Auto"
- Click "Add"
- Go to “Session” and enter your Host and Port (for example “FSG” or "dyndns.somethinglikethat", Port:22)
- Click "Open"
There will be a command-line, where you will have to login. After this, Putty start a SOCKS v4/v5-Proxy-Server at your local PC (127.0.0.1 with PORT: 6666) All your software, which supports the use of a Proxy to use this Tunnel to your FSG. For example your FTP-Client (I use FileZilla).
- Open your FTP-Client
- Enter your Proxy-Settings
- Open a connection with Host: FSG, Port: 21 and your FTP-Account-Name + Password
- (Maybe enable SSL or TLS if you like. But your connection over SSH is really safe)
If you only like to use your SSH-connection for tunneling, you should
enable at "SSH/TTY": "Don't allocate a pseudo-terminal"
