我有一个带有 IIS7 的新 Windows 2008 服务器。当我以活动模式连接到 ftp 时,它工作正常。在被动模式下,它会连接,但尝试获取目录列表时会超时。我尝试禁用两个防火墙,但没有帮助。我已经用不同的客户端机器和不同的 ftp 客户端软件尝试过这个,没有任何变化。有任何想法吗?
我有一个 FreeBSD 服务器,我正在尝试让 FTP 运行。如果我禁用 pf 一切都会很好。
如果我在 pf 运行时连接,我可以成功登录 - 但只要我运行 ls,我就会得到:
ftp> ls
229 Entering Extended Passive Mode (|||61162|)
然后什么都没有......最后我得到了这个:421服务不可用,远程服务器超时。连接关闭
如果有人可以帮助我,我将在下面复制我的 pf.conf 文件,我会被吓倒的!
### macro name for external interface.
ext_if = "re0"
allowed_icmp_types = "echoreq"
### all incoming traffic on external interface is normalized and fragmented
### packets are reassembled.
scrub in on $ext_if all fragment reassemble
### FTP Proxy stuff
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
### set a default deny everything policy.
block log all
### exercise antispoofing on the external interface, but add the local
### loopback interface as an exception, to prevent services utilizing the
### local loop from being blocked accidentally.
set skip on lo0
antispoof for $ext_if inet
### block anything coming from sources that we have no back routes for.
block in log from no-route to any
### block packets that fail a reverse path check. we look up the routing
### table, check to make sure that the outbound is the same as the source
### it came in on. if not, it is probably source address spoofed.
#block in from urpf-failed to any
### drop broadcast requests quietly.
block in quick on $ext_if from any to 255.255.255.255
### block packets claiming to come from reserved internal address blocks, as
### they are obviously forged and cannot be contacted from the outside world.
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any
### block probes that can possibly determine our operating system by disallowing
### certain combinations that are commonly used by nmap, queso and xprobe2, who
### are attempting to fingerprint the server.
### * F : FIN - Finish; end of session
### * S : SYN - Synchronize; indicates request to start session
### * R : RST - Reset; drop a connection
### * P : PUSH - Push; packet is sent immediately
### * A : ACK - Acknowledgement
### * U : URG - Urgent
### * E : ECE - Explicit Congestion Notification Echo
### * W : CWR - Congestion Window Reduced
block in log quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in log quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in log quick on $ext_if proto tcp flags /WEUAPRSF
block in log quick on $ext_if proto tcp flags SR/SR
block in log quick on $ext_if proto tcp flags SF/SF
### keep state on any outbound tcp, udp or icmp traffic. modulate the isn of
### outgoing packets. (initial sequence number) broken operating systems
### sometimes don't randomize this number, making it guessable.
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state
### normally, a client connects to the server and we handshake with them, then
### proceed to exchange data. by telling pf to handshake proxy between the client
### and our server, tcp syn flood attacts from ddos become uneffective because
### a spoofed client cannot complete a handshake.
### set a rule that allows inbound ssh traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port ssh flags S/SA synproxy state
### set a rule that allows inbound www traffic with synproxy handshaking.
pass in on $ext_if proto tcp from any to any port www flags S/SA synproxy state
# Allow icmp
pass in log quick inet proto icmp all icmp-type $allowed_icmp_types keep state
### lets try this
#pass in on $ext_if proto tcp from any to any port ftp flags S/SA synproxy state
pass in on $ext_if inet proto tcp from port ftp-data to ($ext_if) user proxy flags S/SA keep state
### NTP allowed
pass in on $ext_if proto tcp from any to any port ntp
pass in on $ext_if proto udp from any to any port ntp
pass out on $ext_if proto tcp to any port ntp
pass out on $ext_if proto udp to any port ntp
### FTP Passive BS
###pass in quick on $ext_if proto tcp from any to any port 30000:60000
pass in on $ext_if proto tcp from any to any port 21 keep state
#pass in on $ext_if proto tcp from any to any port > 49151 keep state
### FTP Outgoing Proxy Stuff
anchor "ftp-proxy/*"
### setup a table and ruleset that prevents excessive abuse by hosts
### that attempt to brute force the ssh daemon with repeated requests.
### any host that hammers more than 3 connections in 5 seconds gets
### all their packet states killed and dropped into a blackhole table.
table <ssh_abuse> persist
block in quick from <ssh_abuse>
pass in on $ext_if proto tcp to any port ssh flags S/SA keep state (max-src-conn 10, max-src-conn-rate 3/5, overload <ssh_abuse> flush)
所以我现在有一个有趣的问题。我正在尝试使用 curl(CentOS 上的 7.15.5)从远程 FTP 服务器检索文件。我们的客户上周末改变了一些东西,因为它在星期五有效,而现在无效。
我可以使用 CLI 客户端进行 FTP 访问,并获得一个目录列表就好了,尽管我必须发出“被动”来关闭被动模式。如果我不这样做,我会得到
421 Service not available, remote server has closed connection
Passive mode refused. Turning off passive mode.
No control connection for command: Transport endpoint is not connected
ftp>
好吧。显然,被动模式需要被禁用。我已经阅读了几次手册页,我知道我需要使用 -P 来指定“活动”模式,但是从文档来看,这似乎会在客户端(我的)机器上打开一个端口来接收数据流向。因为它在防火墙后面,所以这行不通。
这告诉我我误解了一些东西,因为 CLI 客户端在活动模式下工作。
帮助我 serverfault-kenobi,你是我唯一的希望。