cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Passive FTP using FTP profile

PInkFloyd
Nimbostratus
Nimbostratus

Hi Community,

 

I have an F5 Big-IP 16.0.1.1 running on AWS with a FTP server behind running vsftpd.

The idea is balance passive ftp publically. So, clients should hit public IP of the F5 for passive ftp. This scenario is running perfectly without an FTP profile, just a tcp profile (all ports) and the option pasv_address on the ftp server pointing to the public IP address of the F5. But I need to have this working with the FTP profile in order to implement extra security for FTP on the F5.

 

I've tried to implement FTP passive load balancing using official documentations like (https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/load-balancing-passive-mode-ftp-traffic.html ) , but no matter what combination or configuration is implemented on the F5 & the ftp server, if I have the ftp profile the message ("passive mode refused") is always received after request PASV and only works if I use this for internal passive ftp, meaning that I not configure a "pasv_address" on the ftp server, and the client that request the connection is in the same Lan than the F5 & ftp server, resolving everything internally.

 

As a said, i've tried a lot of combinations and settings on the F5 and ftp servers, but nothing works. Could someone give me a little of guidance here?

 

Thanks in advance.

7 REPLIES 7

Can you share your config? This works for me out of the box.

 

I am using the default FTP profile.

root@(ffive01)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile ftp ftp ltm profile ftp ftp { app-service none }

I have a virtual listening on port 21 and the following iRule attached.

when SERVER_CONNECTED { FTP::port 40000 40200 }

And this is my vsftpd.conf

listen=NO listen_ipv6=YES xferlog_enable=YES secure_chroot_dir=/var/run/vsftpd/empty anonymous_enable=NO local_enable=YES write_enable=YES chroot_local_user=YES user_sub_token=$USER local_root=/home/$USER/ftp pasv_min_port=40000 pasv_max_port=40200 userlist_enable=YES userlist_file=/etc/vsftpd.userlist userlist_deny=NO

No issues at all, see tcpdump.

0691T00000C2MotQAF.png 

Hi Daniel,

First thanks for share this information with me.

 

I duplicate your configs, just to prevent missconfigurations.

 

Here is my config.

admin@(TESTING01)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile ftp ftp ltm profile ftp ftp { app-service none }

 

FTP config

listen=NO listen_ipv6=YES local_enable=NO anonymous_enable=YES write_enable=NO anon_root=/ftp/test xferlog_enable=YES dual_log_enable=YES log_ftp_protocol=YES vsftpd_log_file=/ftp/logs/vsftpd.log xferlog_file=/ftp/logs/xferlog.log pasv_min_port=40000 pasv_max_port=40200 anon_umask=022 banner_file=/etc/vsftpd/banner.txt

 

 

VIP config ( config not listed below has been kept as default)

source address: any destination address: any Service Port: 21 ftp Protocol: tcp ftp profile: ftp Vlan and Tunnel traffic: all VLANs and tunnels Source Address Translation: auto map Address translation: enabled port translation: enabled Default Pool: FTP POOL

 

I've created an FTP monitor that retrieves a file on the ftp server , attach it to the ftp pool and its working ok.

The issue start when a remote source (whitelisted to access) connects to the FTP using the F5 public ip, everything looks good until the remote source request PASV

if my ftp pool member is configured with it Public IP, the error recieved after PASV is

421 Service not available, remote server has closed connection Passive mode refused.

 

If my FTP pool member is configured using its private IP, the client receives ( "227 Entering Passive Mode (private VIP ip , Ephemeral Port ")

obviously can not be resolved by the remote source.

 

I downloaded an Irule that i found in this forum, that preserve ephemeral ports and i modified it to sent (no matter what) the public IP of the F5 when pasv is requested ( keeping the ephemeral port as it is) but again "passive mode refused" )

 

I've tried another combinations like use "pasv_address" on the ftp server, pointing to the F5 public & private IP, but only works if I point to Public Ip Address of the F5 and remove the ftp profile from the VIP.

 

 

 

 

Did you add the iRule from my example too?

Do you really have destination address set to any?

I would compare my lab config again later today, to see if I did any further "magic" on the vsftp, or maybe I have a setting in my FTP Client that is important... I set that up 3 years ago and never touched it ever since, except of installing Linux updates.

I checked this further and I cannot find any difference. I checked if I missed something in my vsftpd.conf... nope.

Your VS config seems OK, too. Can you check for the destination 0.0.0.0:0 (any) and the iRule? That seems off....

 

In my Wireshark capture it looks like this:

vsftp server ----> floating self-IP >> ftp.passive.ip==<IP address of the vsftp server> virtual server ----> client >> ftp.passive.ip==<IP address of the F5 virtual>

So the value for ftp.passive.ip get's updated and replaced properly.

 

I tried with FileZilla and WinSCP, no special config required there either. Just works.

Yes I added your Irule.

Are you using a single interface ?? are you ftp setup residing on AWS ? Because my test lab includes a single interface on the F5 with a EIP(AWS) attached.

 

so, I realized that the FTP profile is just translating the IP address configured as pasv_address on the ftp server to the address configured on the vip as "destination address" only when ( no pasv_address is configured in the ftp, configured pointing public ip of ftp server or if its configured using private IP address), but if pasv_address is manually configured to be the Public ip address of the F5, nothing is translated and the client received

421 Service not available, remote server has closed connection Passive mode refused.

but, if I leave the ftp server pasv_address option pointing to the Public ip address of the F5 , remove the ftp profile on the VIP and change service port to "all ports" works perfectly.

so, seems to me (maybe i'm completely wrong) that the ftp profile is unable to translate the received pasv_address (no matter is received) to the Public IP that the F5 has assigned for AWS( EIP)

 

make sense?

 

 

 

D'oh! My head just crashed on my desk. I missed the obvious because I didn't pay attention to the specifics of AWS. Yes... totally makes sense.

 

I am not even sure if having a second interface would help solve the issue, because the virtual IP is always a private IP address. The NAT is done outside the BIG-IP, in AWS, as far as I know. The whatever address the ftp profile would add ? replace, it would not be the public IP.

Also I don't see a way to work around this with an iRule.

you are right, Nat is done outside Big-ip at AWS level.

 

i've found an IRULE here in the forum that is used to preserve the ephemeral ports on passive FTP ( https://clouddocs.f5.com/api/irules/Passive-FTP-Preserve-Pool-Member-Ephemeral-Port.html ) and I changed it to always send the Public IP address assigned to the F5 By aws, doing this the client receives the correct IP to connect, bypassing whatever translation that ftp profile tries to make.

Anyway, it doesnt work, the client receives "227 connection to {{aws public ip. ephemeral ports}} (i've checked that the ftp server really sent those) , but the connection died there....

I'm really stuck with this, I will keep you posted if i found something, but i'm not seeing another option that contacts F5 and check if they have a workaround for this.