{"id":162,"date":"2008-10-14T15:30:08","date_gmt":"2008-10-14T13:30:08","guid":{"rendered":"http:\/\/michauko.org\/blog\/?p=162"},"modified":"2009-10-08T15:14:39","modified_gmt":"2009-10-08T13:14:39","slug":"falling-back-to-port-instead-of-pasv-mode","status":"publish","type":"post","link":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/","title":{"rendered":"Falling back to PORT instead of PASV mode"},"content":{"rendered":"

Raaah, je me trainais ce truc l\u00e0 depuis longtemps ; pourtant je sais parfaitement que le FTP est un de ces protocoles un peu pourris vis-\u00e0-vis des firewalls (et proxies), mais j’avais jamais rien fait pour m’arranger la situation.
\nBref, l’occasion de faire un rappel – je passe la th\u00e9orie car je donnerais dans l’\u00e0 peu pr\u00e8s, mais j’explique l’aspect pratique pour r\u00e9gler le probl\u00e8me titre de cet article.<\/p>\n

Lorsque vous avez des probl\u00e8mes de mode passif, actif etc en FTP, pensez \u00e0 ceci.
\nSi quelqu’un veut poster en commentaire la th\u00e9orie expliquant le probl\u00e8me, n’h\u00e9sitez pas. Il me semble me rappeler des histoires de trames FTP contenant les IP \u00e9mettrices et donc n\u00e9cessit\u00e9 d’avoir des modules de masquerading particulier pour bien g\u00e9rer le FTP… un vague r\u00e9sidu de cours de r\u00e9seau \ud83d\ude42<\/em><\/p>\n

La configuration<\/h1>\n

J’ai un serveur avec :<\/p>\n

  • un FTP – restreints \u00e0 certaines IP, rappelez-vous que FTP n’est pas du tout s\u00fbr (mot de passe en clair) et qu’il vaut mieux privil\u00e9gier SFTP (du FTP par dessus SSH), <\/li>\n
  • un shorewall ouvrant les ports 20 et 21<\/li>\n

    Bref que du bonheur en apparence.<\/p>\n

    Le probl\u00e8me<\/h1>\n

    Malgr\u00e9 \u00e7a, je gal\u00e8re toujours d’un client FTP \u00e0 l’autre. Le dernier en date : ncftp pour des \u00e9changes depuis un LAN vers ce serveur public. Ca se traduit par un cafouilli g\u00e9n\u00e9ral dans les modes passifs etc.
    \nEt un message d’erreur que pour une fois, j’ai relu lentement et me suis rappel\u00e9 le coup du NAT sp\u00e9cifique FTP :<\/p>\n

    Falling back to PORT instead of PASV mode<\/pre>\n
    En soit, je me foutais de savoir comment le client FTP \u00e9tablissait sa connexion, car dans tous les cas \u00e7a marchait, \u00e7a restait s\u00e9curis\u00e9 dans la limite de ce que je demandais, mais c’\u00e9tait surtout que la compl\u00e9tion de nom, style cd rep TAB-TAB-TAB<\/code> mettait 20 secondes \u00e0 r\u00e9pondre le temps de passer en mode \u00ab\u00a0PORT\u00a0\u00bb justement. Soit environ 19,8 secondes de trop.<\/p>\n
    Comment on le r\u00e8gle ?<\/h1>\n
    On pense \u00e0 activer le NAT sp\u00e9cifique au protocole FTP, dans netfilter. Pour ce faire, par exemple via l’outil modconf<\/code> (ou sudo modconf<\/code> chez Ubuntu) afin d’activer ces 2 modules :
    \n.\/kernel\/net\/netfilter\/nf_conntrack_ftp.ko
    \n.\/kernel\/net\/ipv4\/netfilter\/nf_nat_ftp.ko<\/p>\n
    Point besoin de rebooter, rien.
    \nVoil\u00e0, un protocole FTP mieux g\u00e9r\u00e9 par firewall netfilter sur votre serveur.<\/p>\n
    Excusez-moi pour l\u00a0\u00bb\u00e0 peu pr\u00e8s technique concernant cet article. FTP \u00e7a me gave, c’est un sac d’ennuis ce truc. Mais c’est pratique.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
    Raaah, je me trainais ce truc l\u00e0 depuis longtemps ; pourtant je sais parfaitement que le FTP est un de ces protocoles un peu pourris vis-\u00e0-vis des firewalls (et proxies), mais j’avais jamais rien fait …<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[2,82,389,83],"tags":[251,249,252,253,250],"class_list":["post-162","post","type-post","status-publish","format-standard","hentry","category-debian","category-pl","category-reseau-secu","category-ubuntu","tag-firewall","tag-ftp","tag-masquerading","tag-net","tag-netfilter"],"yoast_head":"\nFalling back to PORT instead of PASV mode - Le blog de Michauko<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Falling back to PORT instead of PASV mode - Le blog de Michauko\" \/>\n<meta property=\"og:description\" content=\"Raaah, je me trainais ce truc l\u00e0 depuis longtemps ; pourtant je sais parfaitement que le FTP est un de ces protocoles un peu pourris vis-\u00e0-vis des firewalls (et proxies), mais j’avais jamais rien fait …\" \/>\n<meta property=\"og:url\" content=\"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/\" \/>\n<meta property=\"og:site_name\" content=\"Le blog de Michauko\" \/>\n<meta property=\"article:published_time\" content=\"2008-10-14T13:30:08+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2009-10-08T13:14:39+00:00\" \/>\n<meta name=\"author\" content=\"michauko\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"michauko\" \/>\n\t<meta name=\"twitter:label2\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/falling-back-to-port-instead-of-pasv-mode-162\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/falling-back-to-port-instead-of-pasv-mode-162\\\/\"},\"author\":{\"name\":\"michauko\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#\\\/schema\\\/person\\\/0cd9f3d9ce4dccc05df81a5b27051ea9\"},\"headline\":\"Falling back to PORT instead of PASV mode\",\"datePublished\":\"2008-10-14T13:30:08+00:00\",\"dateModified\":\"2009-10-08T13:14:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/falling-back-to-port-instead-of-pasv-mode-162\\\/\"},\"wordCount\":433,\"commentCount\":6,\"keywords\":[\"firewall\",\"ftp\",\"masquerading\",\"net\",\"netfilter\"],\"articleSection\":[\"Debian\",\"planet-libre.org\",\"reseau et s\u00e9cu\",\"Ubuntu\"],\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/michauko.org\\\/blog\\\/falling-back-to-port-instead-of-pasv-mode-162\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/falling-back-to-port-instead-of-pasv-mode-162\\\/\",\"url\":\"https:\\\/\\\/michauko.org\\\/blog\\\/falling-back-to-port-instead-of-pasv-mode-162\\\/\",\"name\":\"Falling back to PORT instead of PASV mode - Le blog de Michauko\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#website\"},\"datePublished\":\"2008-10-14T13:30:08+00:00\",\"dateModified\":\"2009-10-08T13:14:39+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#\\\/schema\\\/person\\\/0cd9f3d9ce4dccc05df81a5b27051ea9\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/falling-back-to-port-instead-of-pasv-mode-162\\\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/michauko.org\\\/blog\\\/falling-back-to-port-instead-of-pasv-mode-162\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/falling-back-to-port-instead-of-pasv-mode-162\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/michauko.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Falling back to PORT instead of PASV mode\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/michauko.org\\\/blog\\\/\",\"name\":\"Le blog de Michauko\",\"description\":\"Si tu ne comprends pas le titre de l'article, passe ton chemin\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/michauko.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/michauko.org\\\/blog\\\/#\\\/schema\\\/person\\\/0cd9f3d9ce4dccc05df81a5b27051ea9\",\"name\":\"michauko\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g\",\"caption\":\"michauko\"},\"sameAs\":[\"http:\\\/\\\/michauko.org\\\/\"],\"url\":\"https:\\\/\\\/michauko.org\\\/blog\\\/author\\\/randomized2\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Falling back to PORT instead of PASV mode - Le blog de Michauko","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/","og_locale":"fr_FR","og_type":"article","og_title":"Falling back to PORT instead of PASV mode - Le blog de Michauko","og_description":"Raaah, je me trainais ce truc l\u00e0 depuis longtemps ; pourtant je sais parfaitement que le FTP est un de ces protocoles un peu pourris vis-\u00e0-vis des firewalls (et proxies), mais j’avais jamais rien fait …","og_url":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/","og_site_name":"Le blog de Michauko","article_published_time":"2008-10-14T13:30:08+00:00","article_modified_time":"2009-10-08T13:14:39+00:00","author":"michauko","twitter_card":"summary_large_image","twitter_misc":{"\u00c9crit par":"michauko","Dur\u00e9e de lecture estim\u00e9e":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/#article","isPartOf":{"@id":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/"},"author":{"name":"michauko","@id":"https:\/\/michauko.org\/blog\/#\/schema\/person\/0cd9f3d9ce4dccc05df81a5b27051ea9"},"headline":"Falling back to PORT instead of PASV mode","datePublished":"2008-10-14T13:30:08+00:00","dateModified":"2009-10-08T13:14:39+00:00","mainEntityOfPage":{"@id":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/"},"wordCount":433,"commentCount":6,"keywords":["firewall","ftp","masquerading","net","netfilter"],"articleSection":["Debian","planet-libre.org","reseau et s\u00e9cu","Ubuntu"],"inLanguage":"fr-FR","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/","url":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/","name":"Falling back to PORT instead of PASV mode - Le blog de Michauko","isPartOf":{"@id":"https:\/\/michauko.org\/blog\/#website"},"datePublished":"2008-10-14T13:30:08+00:00","dateModified":"2009-10-08T13:14:39+00:00","author":{"@id":"https:\/\/michauko.org\/blog\/#\/schema\/person\/0cd9f3d9ce4dccc05df81a5b27051ea9"},"breadcrumb":{"@id":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/michauko.org\/blog\/falling-back-to-port-instead-of-pasv-mode-162\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/michauko.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Falling back to PORT instead of PASV mode"}]},{"@type":"WebSite","@id":"https:\/\/michauko.org\/blog\/#website","url":"https:\/\/michauko.org\/blog\/","name":"Le blog de Michauko","description":"Si tu ne comprends pas le titre de l'article, passe ton chemin","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/michauko.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-FR"},{"@type":"Person","@id":"https:\/\/michauko.org\/blog\/#\/schema\/person\/0cd9f3d9ce4dccc05df81a5b27051ea9","name":"michauko","image":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/secure.gravatar.com\/avatar\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/5c3a8969c185fd0eef3893a15408f3ef1b36a6681a066b1eb32045643c30ba65?s=96&d=mm&r=g","caption":"michauko"},"sameAs":["http:\/\/michauko.org\/"],"url":"https:\/\/michauko.org\/blog\/author\/randomized2\/"}]}},"_links":{"self":[{"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/posts\/162","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/comments?post=162"}],"version-history":[{"count":3,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/posts\/162\/revisions"}],"predecessor-version":[{"id":758,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/posts\/162\/revisions\/758"}],"wp:attachment":[{"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/media?parent=162"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/categories?post=162"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michauko.org\/blog\/wp-json\/wp\/v2\/tags?post=162"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}