Need HELP for advance FTP setup with permissions

X

xlameee

Explorer
Joined
Jun 22, 2018
Messages
87
Hello

My Version of Truenas is TrueNAS-12.0-U6
I need to have full ftp server working and ready for multi user access. I have a lots of applications that required ftp server to backup or download from it.

I can't get it to work :(

I need to have:

1. dataset /mnt/Disk1/FTP to be accessible only by the ftpAdmin
2. sub-datasets
mnt/Disk1/FTP/User1 to be accessible by the User1 and ftpAdmin
mnt/Disk1/FTP/User2 to be accessible by the User2 and ftpAdmin
mnt/Disk1/FTP/User3 to be accessible by the User3 and ftpAdmin
and so on

Here is my FTP Service Configiration


With this configuration None of the users can connect to an FTP

I use WinSCP Software for Windows to access FTP and all I get is:

"An attempt was made to access a socket in a way forbidden by its access permissions.
Connection failed."




service1.png

service2.png


Here is my Main Dataset settings for FTP I call it "FTP_WWW"

dataset_ftp_www.png


Here are the Permissions for FTP_WWW

dataset_ftp_www_premissions.png


Here is the ftpAdmin Configuration

ftpAdmin.png


Here is the sub-dataset configuration

sub-dataset_carpo.png



Here is the sub-dataset Permissions

sub-dataset_carpo_permissions.png


Her is the User1 I call it "Carpo" Configuration

carpo.png
 
Heracles

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
xlameee said:
use WinSCP Software for Windows to access FTP and all I get is:
Click to expand...

Are you sure you are trying to use FTP and not SFTP ? In all cases, to use SFTP would be better and safer.

FTP is often problematic because of its second channel. Client connects to it over port 21 for the command channel but data is exchanged over a second channel. In active mode, the server is calling back the client from its own port 20 up to a random port. In this mode, security software on the client side may well block that second channel, preventing FTP to work. If NAT is involved, it will also be a show stopper.

In passive mode, the client opens the second channel from one random port to another random port on the server. If there is a firewall in front of that server, it must be able to detect that second channel and open it on demand. Other way, all ports must be opened, something that would defeat the firewall purpose completely.

xlameee said:
"An attempt was made to access a socket in a way forbidden by its access permissions.
Connection failed."
Click to expand...

From your error message, I would guess that this is blocked by a local firewall on TrueNAS. I remember others in the forum talking about such filtering and how they had problems with it when trying to connect over VPN.

So my first suggestion would be to get rid of FTP. FTP has been dead for over 15 years. Time to move to up-to-date tools and services.

If you really must stay with such a crappy, unsafe and problematic service, I am pretty sure that the root cause is packet filtering in TrueNAS but because I do not use it /did not need to interact with it myself, I can not tell you much more.
 
X

xlameee

Explorer
Joined
Jun 22, 2018
Messages
87
Heracles said:
Are you sure you are trying to use FTP and not SFTP ? In all cases, to use SFTP would be better and safer.

FTP is often problematic because of its second channel. Client connects to it over port 21 for the command channel but data is exchanged over a second channel. In active mode, the server is calling back the client from its own port 20 up to a random port. In this mode, security software on the client side may well block that second channel, preventing FTP to work. If NAT is involved, it will also be a show stopper.

In passive mode, the client opens the second channel from one random port to another random port on the server. If there is a firewall in front of that server, it must be able to detect that second channel and open it on demand. Other way, all ports must be opened, something that would defeat the firewall purpose completely.



From your error message, I would guess that this is blocked by a local firewall on TrueNAS. I remember others in the forum talking about such filtering and how they had problems with it when trying to connect over VPN.

So my first suggestion would be to get rid of FTP. FTP has been dead for over 15 years. Time to move to up-to-date tools and services.

If you really must stay with such a crappy, unsafe and problematic service, I am pretty sure that the root cause is packet filtering in TrueNAS but because I do not use it /did not need to interact with it myself, I can not tell you much more.
Click to expand...

I had no idea that Truenas have a firewall where is it


I am OK with SFTP but I have no idea how to setup in Truenas

Thank you
 
X

xlameee

Explorer
Joined
Jun 22, 2018
Messages
87
Heracles said:
Are you sure you are trying to use FTP and not SFTP ? In all cases, to use SFTP would be better and safer.

FTP is often problematic because of its second channel. Client connects to it over port 21 for the command channel but data is exchanged over a second channel. In active mode, the server is calling back the client from its own port 20 up to a random port. In this mode, security software on the client side may well block that second channel, preventing FTP to work. If NAT is involved, it will also be a show stopper.

In passive mode, the client opens the second channel from one random port to another random port on the server. If there is a firewall in front of that server, it must be able to detect that second channel and open it on demand. Other way, all ports must be opened, something that would defeat the firewall purpose completely.



From your error message, I would guess that this is blocked by a local firewall on TrueNAS. I remember others in the forum talking about such filtering and how they had problems with it when trying to connect over VPN.

So my first suggestion would be to get rid of FTP. FTP has been dead for over 15 years. Time to move to up-to-date tools and services.

If you really must stay with such a crappy, unsafe and problematic service, I am pretty sure that the root cause is packet filtering in TrueNAS but because I do not use it /did not need to interact with it myself, I can not tell you much more.
Click to expand...

Actually I cannot use SFTP only FTP

I am using it to give external file storage for yetishare script
that thing support only FTP

Can you please HELP me create FTP server the security does not concern me because is a local server and will never go public
 
Heracles

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
xlameee said:
to give external file storage
Click to expand...
xlameee said:
is a local server and will never go public
Click to expand...

Well, you have to make your mind first... Is this for external storage or is it local ?

xlameee said:
yetishare script
that thing support only FTP
Click to expand...

Any reason why not to replace that one instead ? SFTP is very easy to script and is actually meant to be a one-to-one replacement in scripts that were designed for FTP. If you insist on keeping that script, you could edit it to switch it to SFTP.

xlameee said:
Can you please HELP me create FTP server
Click to expand...

Well, maybe others but not me... I stopped using that crappy service too long ago and will never use it again.

xlameee said:
the security does not concern me
Click to expand...

As it does concern me, I will not help others put their own stuff at high risk. People always say that they accept the risk until they are hit and then they start to complain.

If you insist on working that way, do some forum search / google search about FreeBSD / TrueNAS' firewall. I think it is based on "pf"...
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
Heracles said:
If you insist on working that way, do some forum search / google search about FreeBSD / TrueNAS' firewall. I think it is based on "pf"...
Click to expand...
Sorry, but this is FUD. TrueNAS does not come with any firewall enabled by default. The firewall is most certainly not the OP's problem.

pf is disabled:
Code:
root@freenas[~]# pfctl -s all  
FILTER RULES:

INFO:
Status: Disabled                              Debug: Urgent
[...]


And ipfw is active but set to "allow all":
Code:
root@freenas[~]# ipfw list
65535 allow ip from any to any


To the OP's problem:

You can try your local user accounts when logged on to a shell on your NAS as "root" with:
Code:
su - <someuser>
id <someuser>
ls -ld ~<someuser>

The output of these commands could be interesting.

Also in the screenshot of your "Carpo" user I spot what is probably a typo: "capro" vs. "carpo".
Kind regards,
Patrick
 
Last edited:
Heracles

Heracles

Wizard
Joined
Feb 2, 2018
Messages
1,401
X

xlameee

Explorer
Joined
Jun 22, 2018
Messages
87
The problem was with YETISHARE settings. The FTP Server setting by default Passive Mode was set to NO

So now all it is working fine, but just for the record Never Buy YetiShare it is full of BUGs and support well ... where do I start Its been 7 day I posted on the forum and I am still waiting for approval Waste of $100
 
Patrick M. Hausen

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,776
You did not test on the command line first? Like ftp <ip address> ...?
And why should passive mode matter? It's only relevant if you go through NAT devices. You did not put your TrueNAS on the public Internet, did you?
 
Last edited:
X

xlameee

Explorer
Joined
Jun 22, 2018
Messages
87
I don't know why, but it is working. No I did not put your TrueNAS on the public Internet :)
 
You must log in or register to reply here.

Similar threads

V
  • Locked
FTP configuration
Replies
4
Views
5K
Vanyo
V
K
  • Locked
Setting up FTP user with multiple folder permissions in UFS
Replies
1
Views
3K
hobbit_mit_streitaxt
H
V
"Best practices" for multiple remote backup
Replies
3
Views
1K
styno
styno
C
  • Locked
FTP access
Replies
1
Views
1K
Craigus
C
D
Spaces character in directory names for FTP: not working
Replies
1
Views
447
Dudiello
D
Top