Q:How to setup my IP correctly |
|
A:There are many combinations and you should check the section that matches your configuration Legal IP means a real IP in the internet and everyone can connect it. Private IP means an IP which is only valid within your local area network and only users from the same network can connect to it. Static IP means your IP is always the same and it is not issued by a DHCP server. note : Server IP is SERVER_IP under [FTPD] , Auto choose IP is AUTO_CHOOSE_IP under [FTPD] , Extra IP is XTRA_IPS under [FTPD] , Exclude IP is XCLU_IPS under [FTPD] , Use multi IP to offer data connections automatically is PASV_IP_ROLLING under [FTPD] . in your *.ftpd file
Combination 1 : 1 Legal IP (Static IP) Server IP : Set to your Legal IP (do not set domain name) Auto choose IP : On or Off (but you have to set the correct IP in server IP) Extra IP : do not add anything Exclude IP : do not add anything Use multi IP to offer data connections automatically : Off Combination 2 : 1 Legal IP (Dynamic IP) Server IP : Leave empty Auto choose IP : On Extra IP : do not add anything Exclude IP : do not add anything Use multi IP to offer data connections automatically : On Combination 3 : 1 Legal IP (Static IP) + 1 Private IP Server IP : Set to your Legal IP (do not set domain name) Auto choose IP : Off Extra IP : do not add anything Exclude IP : do not add anything Use multi IP to offer data connections automatically : Off Combination 4 : 1 Legal IP (Dynamic IP) + 1 Private IP (supported from 2.1 build 935) Server IP : Leave empty Auto choose IP : On Extra IP : do not add anything Exclude IP : Your Private IP (can be multiple , xxxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy) Use multi IP to offer data connections automatically : On Combination 5 : Multiple Legal IP (Static IP) Server IP : Set one of the Legal IP as SERVER IP Auto choose IP : Off Extra IP : add the ALL IPs to extra IP (including SERVER IP) , eg : xxx.xxx.xxx.xxx,yyy.yyy.yyy.yyy,zzz.zzz.zzz.zzz Exclude IP : do not add anything Use multi IP to offer data connections automatically : On Combination 6 : Multiple Legal IP (Static IP) + 1 Private IP Server IP : Set one of the Legal IP as SERVER IP Auto choose IP : Off Extra IP : add ALL Legal IP except this Private IP Exclude IP : Your Private IP Use multi IP to offer data connections automatically : On Combination 8 : 1 Private IP You can not run a site to serve the ineternet users with private ip. Ok, you now have the correct setup for your IP, but why the client still can not do a LIST/RETR/STOR/FXP? Possibility 1: Your site is behide a firewall. There must be a firewall rule that allows only certain port ranges. You must contact your local firewall administrator to get the port ranges and then set your server's DATA PORT RANGE to match the rule. Possibility 2: This client is behide a firewall (usually you would see a PORT failed in your server log). You should ask this user to set its FTP client to use PASV (passive) mode; otherwise it will not work. Possibility 3: This client is behide a NAT (Network address translator). Usually, you would see a PORT failed in your server log. However, the PORT connection IP is usually different from this client's REAL IP. You should ask this user to set its FTP client to use PASV (passive) mode; otherwise it will not work. Possibility 4: When users try to FXP with some FTP servers, ex: MS-IIS or SERV-U with AntiBounce attack turned on, the FXP will not work in this situation unless you set your DATA PORT RANGE to anything higher than 1024, ex: 1050-2000. Possibility 5: The client software is no good. Yes! Many FTP clients simply don't obey the rules. The FTP client should first establish a DATA connection with server and then it can send out the further commands, ex: LIST or RETR. However, some clients simply send out PORT/PASV and then directly send out LIST/RETR without waiting the connection to be established. The RaidenFTPD is not going to support this kind of operation, so please ask the user to change or upgrade his FTP client. Usually, you will see a "LIST W/O DATA connection" error in your server side log. Possibility 6: The client is using an incompatible FTP client application. The FTP client applications currently incompatible are StarFTP, LeapFTP 2.6x (newer version works), and LapLink FTP v1, FlashGET old versions (newer version works). Possibility 7: You have 'Check IP of data connections' turned on in server editor. Please turn it off, or add the authrized host's IP to global allowed IP list. Otherwise, the server will not accept DATA connection from other server. Ok, you now still don't get it to work. It seems like you must understand more about it. Q01. Ok, i got a question... i am trying to program a firewall for 100% security, but if i told RaidenFTPD to use ports, lets say: 1400-1500. On xfers it uses those ports, but when the user logs in and does a list, it uses like port 90-???. A01. Well , you can not 100% enforce the port range. The port range is only used when the client uses "PASV" mode instead of "PORT" mode. When the client wants to use PORT command, he decides the port range. When the client uses PASV mode, the server decides the port range. There might be an option in the ftp client for itself to enforce some kind of port ranges also, but it is absolutely not available in every ftp client we'v seen. And this is not RaidenFTPD's fault because the clients are the one who decide to use whatever they like. Q02. Why do I get this when someone try to FXP to my RaidenFTPD server?
A02. Well, this is because the other FTP server has "anti bounce attack" option enabled. You can not change it since it's not on your side. If you really want your server to work with it, you must specify your DATA PORT RANGE. For different purposes, there are different suggested port ranges. If you are making a site for web downloads, try to use 26-79. If you are making a site for FXP, try to use 1400-1500. There is "NO" perfect port range that will work for every purpose due to the fact that some clients/servers thought that they are smart enough to reject some of the port numbers. And this is not RaidenFTPD's fault because the other FTP servers are the ones who decide to reject the port or not. Q03. What is the "PASV accept failed , no one connects to me" message? Is it generated by the server or the client? Is it coming from RaidenFTPD, or from the person who has connected to me? A03. well , this message is generated by the RaidenFTPD and this happens when the RaidenFTPD receives the PASV command from the ftp client. The RaidenFTPD starts to listen on one of the local IP+port, and returns the IP+PORT to the client. However after 15 seconds, if no one (ftp client) connects to this IP+PORT, then the server tells you this error. There are various reasons and it may be a fault on client side, on server side or on both, so you need to verify the ftp client's command log window for verification. First, you need to find the string PASV, and then you will see something like
Now is the important part. Verify this 140,89,228,21 that it should be your SERVER IP, and 0*256 + 214 should be your listen PORT. If this 140,89,228,21 is NOT your SERVER IP, or if it's an internal IP that no one from outside can connect to, then you have your IP setup incorrectly. Check the above sections to find out your best combination. If the IP part is correct, now verify the PORT part. If your environment has a firewall and if the PORT is outside of the allowed port ranges, then no one will be able to connect to your server because all connections are rejected. Now, you must ask your local network administrators about the acceptable port ranges and apply it to use DATA PORT RANGES; otherwise it will not work. Can't this be simpler? Probably not! No one knows what will your network administrator allow or deny, and no one knows what your internal IP or internet IP is. You must verify it by yourself. Q04. I have one dynamic legal IP and one internal fixed IP. Can I run only one site (*.ftpd) to serve both internal and external users? A04. No, since your legal IP is dynamic, you will need to run 2 sites (*.ftpd): one for internal and one for external users. Q05. I'm having problem FXP'ing from a G6 ftp server 2.0; is anything wrong? A05. Yes , if we don't pin this problem out, people may think It's our fault FXP'ing with G6 2.0 Final. Well, in G6 2.0 Final, it will return "200 PORT command successful." No matter the prompt indicates this command is successful or not, how do we know it is fine? Well it's simple, we TURNED OFF our server's PASV listening mode (yes that means we will return correct Entering passive mode string while RaidenFTPD is not actually listen at all), so how can G6 2.0 Final connect to RaidenFTPD successfully since we are not listening at all? It is a bug of G6, and the following context is a little log:
Yes, it is that simple. G6 returns FALSE status, and flashfxp has just been cheated. So now, you know who should do some bug-fix? Apparently, this is not RaidenFTPD's fault because it's the G6 who returns false status to the FlashFXP. We don't know if it's been fixed or not in the newer versions but if you have this problem it's not our fault. Q06. Why can't my RaidenFTPD fxp with Microsoft IIS? A06. Yes, it can, but you must set your DATA PORT RANGE from 1400 ~ 1500. We don't know what else ports will work but this works. If you don't set to this range you may not be able to FXP with Microsoft IIS. RaidenFTPD has *NO* error since ftp does not force a server to use which port for data transfer. It's the site administrator's duty to decide which port to use. Q07. Why do I get "port connect failed (123.123.123.123 1234)" error message in server log? A07. Yes, it maybe your fault, but in most of time, it's the error on client's side. You can easily know if it's your fault or his fault by observing the IP 123.123.123.123. By clicking this client's icon in server monitor, you will see the client's origin. Let's say: it's 140.123.123.123. If you see the port connect failed (123.123.123.123 1234), then, obviously, the IPs 140.123.123.123 and 123.123.123.123 are different. Then it's client's fault because he might be after an NAT, and his ftp client application doesn't even know that his IP is a virtual IP! If the IPs are the same, then there is a possibility that it's your fault. Then, there are 2 things you need to check. One is to make sure the PORT client requests (1234 here) does apply to your local firewall rule and make sure it's not blocked. The other thing is even trickier that you might have multiple NIC interfaces and your need to make sure you do not add your internal NIC's IP to EXTRA_IPS by adding it to XCLU_IPS (excluded). Thus, no connection can be made if you are trying to connect to the ftp client from a internal NIC. Yet, there is still another possibility; the client is not downloading from the same origin that he is trying a FXP. Then, you should only need to make sure that all your IP setup are correct. If it still fails, then it is not your fault anyway. |
Note : This page contains important information , please read carefully!!! Setting up RaidenFTPD incorrectly will cause problems when Ftp clients try to connect to your site.
Copyright © 2000-2005 RaidenFTPD TEAM , ALL RIGHT RESERVED
REVISION 2.4 , 2004/04/01