# [SOLVED] glftpd behind a router

## digitalsy

I just installed glftpd 1.32+tls and everything is working internally/locally however I can't connect from the internet to my ftp.  

glftpd is on port 21

port 21 is forwarded from my firewall (smoothwall) to my internal machine (was working perfectly with proftpd)

here are my configs

```

 cat /etc/xinetd.conf

# Sample configuration file for xinetd

defaults

{

        instances      = 60

        log_type       = SYSLOG authpriv info

        log_on_success = HOST PID

        log_on_failure = HOST

        cps            = 25 30

}

includedir /etc/xinetd.d

```

```

cat /etc/xinetd.d/glftpd 

service glftpd

{

    disable = no

    flags           = REUSE NAMEINARGS

    socket_type     = stream

    protocol        = tcp

    wait            = no

    user            = root

    server          = /usr/sbin/tcpd

    server_args     = /glftpd/bin/glftpd -l -i -z cert=/glftpd/etc/ftpd-dsa.pem -o   

}

```

```

# Server shutdown: 0=server open, 1=deny all but siteops, !*=deny all, etc

shutdown 0

sitename_long   Zeppelin's[:space:]Archive[:space:]FTP

#sitename_short

email           liquidshell@msn.com

rootpath        /glftpd

# Path relative to the ROOTPATH.

datapath        /ftp-data

welcome_msg     /ftp-data/misc/welcome.msg      *

goodbye_msg     /ftp-data/misc/goodbye.msg      *

newsfile        /ftp-data/misc/newsfile         *

banner          /ftp-data/misc/banner

# TLS enforcements.

userrejectsecure        !*

userrejectinsecure      !*

denydiruncrypted        !*

denydatauncrypted       !*

# we will not show the dir/file listings in color

color_mode 1

##############################################################################

# SECTION #     KEYWORD                 DIRECTORY       SEPARATE CREDITS     #

##############################################################################

stat_section    DEFAULT                 *               yes

##############################################################################

##################     THE RIGHTS SECTION BEGINS HERE     ####################

##############################################################################

# (you can use a ! in front of any group/user/flag to negate it)             #

# The default is no, you don't need to add "!*" at the end                   #

#                                                                            #

# Function       Path                   =GROUP or -username or X (flag)      #

##############################################################################

upload          *                               *

resume          *                               *

makedir         *                               *

download        *                               *

dirlog          *                               *

rename          *                               1 =STAFF

filemove        *                               1 =STAFF

renameown       *                               *

nuke            *                               *

delete          *                               1

deleteown       *                               *

##############################################################################

###################     THE RIGHTS SECTION ENDS HERE     #####################

##############################################################################

##############################################################################

# secure_pass   mask            users to whom this rule applies              #

##############################################################################

#secure_pass    a2..            *

##############################################################################

# secure_ip   min. fields   allow hostnames?   need ident?   users to whom this a$

##############################################################################

#secure_ip      1               1               1               *

##############################################################################

#path-filter    group   path/msgfile                    filters

path-filter     *       /ftp-data/misc/pathmsg          ^[-A-Za-z0-9_.()[:space:]$

use_dir_size k /site/incoming

show_totals     *

show_diz        .message

free_space 20

max_users 15 5

total_users 15

# dupecheck     how many days?  ignore file case like Windows?

dupe_check      7               no

dl_incomplete 1

noretrieve      passwd  passwd- group   group-

min_homedir     /site

#############################################################################

#        <cap 1st letter>   <lower/upper>       character conversions...

#file_names     0               lower           [:space:]_

#dir_names      1               none            [:space:]_

#############################################################################

tagline         jesus[:space:]hates[:space:]you

ignore_type  *.[tT][xX][tT] *.[nN][fF][oO] [rR][eE][aA][dD][mM][eE] .message  

ignore_type  *.[sS][fF][vV] *.[cC][rR][cC] *.[dD][iI][zZ]

#############################################################################

#pre_dir_check  /bin/dirscript

#pre_check      /bin/dupescript

#post_check     /bin/zipscript

#############################################################################

############## Location #################### Max number of lines in Display #

oneliners       /ftp-data/misc/oneliners        7

requests        /ftp-data/misc/requests         10

lastonline      /ftp-data/misc/lastonline       10

#############################################################################

############################################################################

# Nukedir_Style:

# 1st. Option   [Format: %N = DIR]

# 2nd. Option   0 = Delete ALL, 1 = Save main dir.,  2 = Save ALL (UNNUKE)

# 3rd. Option   [Byte Size] for nuker to discount.

############################################################################  

nukedir_style   NUKED-%N        2       50000

empty_nuke      25000

multiplier_max  20

############################################################################  

# Private Groups:   privgroup GROUPNAME GROUPDESC                          #

############################################################################

privgroup       STAFF            My[:space:]Private[:space:]Group

############################################################################

# PRIVPATHS:  Directories should be uniquely named (no wildcards)          #

############################################################################

#privpath /site/privatedir      1 =STAFF

############################################################################

# CUSTOM SITE COMMANDS                                                     #

# site_cmd [CMD NAME] [EXEC/TEXT] [PATH TO FILE]                           #

############################################################################     $

site_cmd RULES          TEXT    /ftp-data/misc/site.rules

site_cmd LOCATE         EXEC    /bin/locate.sh

custom-rules    !8 *

custom-locate   !8 *

-addip           1 2 7

-adduser         1 2 7

-change          1 7 

-changeflags     1

-changeratio     1 2 7

-changesratio    1 7

-changehomedir   1

-chmod           1

-chgrp           1 7

-chgrp-priv      1

-chpass          1

-delip           1 2 7

-deluser         1 2 7

-dirs           !8 *

-errlog          1

-flags          !8 *

-gadduser        1 7

-ginfo           2 H

-give            G

-group          !3 *

-groups          1

-grpadd          1

-grpdel          1

-grplog          1

-grpnfo          1 2

-grpren          1

-grpstats        *

-help           !8 *

-info           !8 *

-kick            D

-kill            E

-logins          1

-misc           !8 *

-msg            !8 *

-msg*            1

-msg=            1   

-msg{           !8 *

-nuke            A

-onel           !8 *

-oneladd        !8 *

-predupe         1 7

-oneladd        !8 *

-predupe         1 7

-passwd         !8 *

-purge           1

-readd           1 2 7

-renuser         1 7

-reqlog          1 A B 7

-request        !8 *

-requestadd     !8 *

-show            1

-stat           !8 *

-stats          !8 *

-swho            =STAFF 1 E

-take            F

-syslog          1 =STAFF

-undupe          C

-unnuke          B  

-update          1  

-user           !8 *

-users           H

-usercomment     1 7

-userextra       1 2 7

-who            !8 *

-wipe            1

-seen            1  

-laston          1

-userothers      1

-traffic         1 7

# Custom

allow_fxp yes

```

My setup is as follows,  smoothwall linux router has 2 nics, one to external cable modem ip=ftp.liquidshell.com  and the other nic to my internal network ip = 192.168.1.1

i have 2 other internal machines, 192.168.1.20 and 192.168.1.21, glftpd is installed on 192.168.1.20 on port 21.  

What else must I do ??? It was working with proftpd without any other configs and 21 port forwarded on my router.

Please help!

----------

## digitalsy

I have also put glftpd: ALL in my /etc/hosts.allow (which I had to create) but nada...

I installed oidentd and started that daemon as per the suggestion in another thread, but that doesn't work, both port 21 and 113(identd) are port forwarded so I don't understand...

Someone's gotta have done this before

-digi

----------

## digitalsy

maybe I can add only from 0.0.0.0/0 in the xinetd.conf but I think I tried that once before...If I try to connect to it from the internet it resolves my ftp name and then just times out...as if it weren't there, what am i doing wrong?! Why does proftpd work on same port and no additional setup?

please help anyone?

-digi

----------

## digitalsy

I added 0.0.0.0/0 but this did not resolve my issue either....

----------

## digitalsy

I just tried modifying my /etc/xinetd.d/glftpd entry and instead of using tcp wrappers for the connection, use glftpd straight.

changed it to this

```

cat /etc/xinetd.d/glftpd 

service glftpd

{

    disable = no

    flags           = REUSE NAMEINARGS

    socket_type     = stream

    protocol        = tcp

    wait            = no

    user            = root

#    server          = /usr/sbin/tcpd

    server          = /glftpd/bin/glftpd

    server_args     = -l -i -z cert=/glftpd/etc/ftpd-dsa.pem -o   

    only_from       = 0.0.0.0/0

```

I restarted xinetd and I can only still connect locally. I made sure oidentd was running but nada. I just get connecting to ftp.liquidshell.com....timeout

What am i missing arggghhhh

-digi

----------

## SpanKY

so you're saying that if you shut down glftpd and start up pureftp and dont change anything else it works fine ?

----------

## digitalsy

Exactly. 

It could be a passv port issue or an ident issue or both or something else, however I can't be sure I've tried alot of things  :Sad: 

I did notice that in proftpd.conf I have IdentLookups         off

I checked xinetd.conf and /etc/xinetd.d/glftpd and there is nothing in there about USERID (which is indentd checking) 

Man you gotta help me out this is so frustrating...what I did notice is that the ftp client that's trying to connect to my glftpd from the outside has something like the following from netstat

tcp        0      1 192.168.1.20:33027      24.202.59.238:21        SYN_SENT    4702/ncftp  

(trying to connect from my local machine but with the external ip)  it always picks a random port above 32000 or 33000 and tries to connect to my glftpd....

any help would severely be appreciated

thanks

digi

----------

## digitalsy

I don't think it has anything to do with the fact I'm using my internal machine to try to connect to my outside ip and thus loop back into itself..? Should have no effect cuz it worked ok like that for proftpd....

digi

----------

## SpanKY

did you try this:

http://www.glftpd.com/docs/glftpd_faq.html#1.49

----------

## digitalsy

Yup

1.49) I can connect to newly installed glftpd from localhost, but not from

outside. 

1) Add *@* to the user you're trying to connect as (yes, if your IP is not

   added to any users, you won't even get a login prompt).  done

2) Add "glftpd: ALL" to /etc/hosts.allow (unless you didn't use tcpd in

   inetd.conf) done

3) Make sure you're not using a firewall of some kind.  yes i am (smoothwall)

4) If you're using "valid_ip" in config file, comment it out and try again. not using

5) Check glftpd logs and system logs (make sure your system logs errors)just see basic errors like connect failure

still won't connect

It would be easier to chat on aim if you have it, i will pm you my screename and we can post results in forum after, but back and forth posting is kind of slow...

-digi

----------

## ikaro

*edit*

Got it fixed.

edited /etc/xinet.d/glftpd and commented the "allow from 0.0.0.0"

and in the glftpd.conf only have pasv_port: <startport-endport> and pasv_addr: <global ip address>

/edit

Iam not trying to hijack your tread, but since iam also running behind a router and have glftpd ..

outside people get this message :

```

cant create data connection

```

thatsabout the pasv_ports range right ? 

those i have them forward in the firewall ( shorewall )

```

 425 Can't create data socket (xxx.xxx.xxx.xx,0): Cannot assign requested address
```

iam using latest glftpd 1.32 or whatever it is this time.

----------

## ikaro

you are missing this in the glftpd.conf :

```

pasv_addr <globalip>

for example:

pasv_addr 123.123.123.23

pasv_ports 1400-1500 2500-3500

or some other port ranges (remember to forward on the firewall)

```

and comment this line :

only_from       = 0.0.0.0/0 

from /etc/xinetd.d/glftpd 

restart xinetd  :Smile: 

hope it helps.

----------

## digitalsy

Yeah, I was able to get it working like that. I have only_from 0.0.0.0/0 in my /etc/xinetd.d/glftpd (does not harm anything being there)

I also added this (similar to your entry)

```

# Custom

ifip 127.0.0.1

elseip

pasv_addr ftp.liquidshell.com 1

pasv_ports 32700-32715

endifip

allow_fxp yes

```

I forwarded ports 32700-32715 through my firewall (smoothwall)

Now everything works (providing user trying to connect has ident(port 113) open.  A windows xp friend behind a router was unable to connect, so i vnc'd to his box, and port forwarded 113 to his lan ip, then it worked perfectly.

Thanks for all your helpSpankY, thx ikaro for responding also  :Smile: 

-digi

----------

## aslkdj

Hi. I have the EXACT same problem, but still doesn't work!

This is what I've done:

- removed the line with only_from 0.0.0.0/0

- added this to glftpd.conf:

 *Quote:*   

> ifip 192.168.*
> 
> pasv_addr 192.168.1.20
> 
> elseip
> ...

 

I also tried with just  *Quote:*   

> pasv_addr <my.external.ip>

  but all that did was make listing not work when connecting locally.

- added  *Quote:*   

> glftpd <port>/tcp

  to /etc/services

- added port range 1024-2048 and port <my ftp port> to the NAT in my router, forwarding them to 192.168.1.20, of course

- I deleted a line similar to only_from in /etc/xinetd.conf

I've also tried changing the internal ip in eth0 and ftp port and then opening that port in the firewall and pointing it to the new internal ip. Same result.

Can't connect externally, only from internal.

I feel like I've tried everything here. Can anyone please help?

----------

## aslkdj

"Solved" it by doing a clean install manually (no emerge), adding as a different name (not sure it was needed) and different port (there was still the old "glftpd <port>/tcp ") and voila.

----------

