Page MenuHomeVyOS Platform

FTP PASV breaks control connection
Open, NormalPublicBUG

Description

I'm running a local FTP server behind VyOS with the firewall opened to allow the control connection on TCP/21. Clients on the WAN side are able to interact with the FTP server up until a PASV command is issued. The FTP server responds with an internal IP and port and this is properly mangled by conntrack to VyOS's WAN IP. Client are then able to establish the data connection; however at this point the control connection is wedged. Packets from both sides, which moments before crossed the NAT, are now dropped at VyOS.

Clients which issue an ESPV command instead continue to have a functional control connection, are also able to establish the data connection, and complete an FTP transfer.

vyos@vyos:~$ show version
Version:          VyOS 1.5-rolling-202409210006
Release train:    current
Release flavor:   generic

Built by:         [email protected]
Built on:         Sat 21 Sep 2024 00:06 UTC
Build UUID:       2f25692e-e899-4266-b0e6-388578fea859
Build commit ID:  3f579439714481

Architecture:     x86_64
Boot via:         installed image
System type:      Xen HVM guest
Secure Boot:      n/a (BIOS)

Hardware vendor:  Xen
Hardware model:   HVM domU
Hardware S/N:     [snipped]
Hardware UUID:    [snipped]

Copyright:        VyOS maintainers and contributors
vyos@vyos# show nat destination rule 51
 destination {
     port 21
 }
 inbound-interface {
     name eth0
 }
 protocol tcp
 translation {
     address 192.168.0.10
     port 21
 }
vyos@vyos# show nat source
 rule 100 {
     outbound-interface {
         name eth0
     }
     source {
         address 192.168.0.0/24
     }
     translation {
         address masquerade
     }
 }
 rule 110 {
     description Hairpin
     destination {
         address 192.168.0.0/24
     }
     outbound-interface {
         name eth1
     }
     protocol tcp_udp
     source {
         address 192.168.0.0/24
     }
     translation {
         address masquerade
     }
 }
vyos@vyos# show system conntrack
 modules {
     ftp
     h323
     nfs
     pptp
     sip
     sqlnet
     tftp
 }

It sounded like this worked earlier in the year, per T5376, but I'm unable to find a copy of rolling-202402230022 to confirm.

Details

Version
VyOS 1.5-rolling-202409210006
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)