APF blocking FTP..

CrustyDOD

Verified User
Joined
Sep 7, 2006
Messages
19
I have APF on Debian and from the start there was one problem. When i upload LOTS of files, imagine uploading for example joomla or something similar with lots of files different sizes, the transfer freezes after a while and it times out. Its like it blocks me for a while. My friend tried on my server and he also gets the same result. Then i asked some guy to try it on fresh install. He put on CentOS and APF without BFD like i have and he also gets blocked.

Without APF running the transfer is going on normal and you do not get blocked so APF is the problem. I'm using passive connection so 21 and high random ports are opened.

There are no logs about this, no ips blocked when it happens, nothing!!

Any ideas what's going on?
 
Your problem maybe not to do with which ports are open but which ports proftpd is allowed to passive threw. A solution to your problem would be to add this in your /etc/proftpd.conf file.

Open proftpd.conf by running:

nano /etc/proftpd.conf

Then add:

PassivePorts 5557 5560

After

TimeoutStalled 3600

Basically all ports between 5557 to 5560 can be used as passive ports. And only open those posts in your firewall.
 
eymbo,

APF automatically opens up passive ports as required. There may already be a limit; I haven't studied the code.

My guess is that cutting the amount of passive ports allowed isn't going to help with lockups; I believe it may cause more.

What am I missing?

Jeff
 
Passive ports have been set from the start by me.

They are set in proftpd and apf. Range is 500 ports so i don't belive that that is the problem.
 
I have the same exact problem on all my servers, very annoying.
 
I don't know if this would cause the problem or not, but if you're using either APF or KISS you should NOT set up passive ports in proftpd.conf; you may be limiting it to ports not being opened by APF/KISS.

So if you've got a passive port range in proftpd.conf try without it; we don't have it and we seem to work fine.

Jeff
 
I don't have passive port range in proftpd.conf.
I looked through the configuration file of APF, and think the problem could caused by the TOS settings, I changed port 21 to "no delay" seem to help a little, default was on "minimal delay".
 
im trying to set this up so i can use passive ports ill try removing it from proftpd but when i connected it did use that portrange but if we use other ports it means we have to open up other passive ports.

is it possible to do FXP transfers?
 
dont enable monokern, do this

nano -w /etc/apf/internals/functions.apf

find (crtl+w)

ml ipt_state 1


ml ipt_multiport 1

Replace with:

ml xt_state


ml xt_multiport

Start or restart apf and all should be fine

But I reccomend using configserver, its 100 times better then apf, bfd, and dos deflate combo. It has everything all into one plus other great features
 
apf default is SET_MONOKERN="0" since it's not enable then change /etc/apf/internals/functions.apf wouldn't do anything would it?
 
dont enable monokern, do this

nano -w /etc/apf/internals/functions.apf

find (crtl+w)

ml ipt_state 1


ml ipt_multiport 1

Replace with:

ml xt_state


ml xt_multiport

Start or restart apf and all should be fine

But I reccomend using configserver, its 100 times better then apf, bfd, and dos deflate combo. It has everything all into one plus other great features

I think this worked.. Will do some more testing tommorow but just now everything went ok..
 
Hi CrustyDOD, did you have SET_MONOKERN="0" or SET_MONOKERN="1" in your apf.conf?
 
Hi CrustyDOD, did you have SET_MONOKERN="0" or SET_MONOKERN="1" in your apf.conf?

MONOKERN is set to 0 and then i changed the stuff that felosi wrote.

Edit: Was too happy yesterday i guess.. Doesn't work. Time to change FW.
Could the problem be that i don't have ip_conntrack_ftp module?
 
Last edited:
I think what felosi wrote only works with SET_MONOKERN="1", My servers have ip_conntrack_ftp loaded still have this problem.
 
Hello, i'm fixed your problem

1 : nano /etc/proftpd.conf

Then add:

PassivePorts 5557 5560

After

TimeoutStalled 3600

2 : nano /etc/apf/conf.apf

IG_TCP_CPORTS =""

add port : 5000_6000,35000_36000

Save ...

# Service apf restart

FTP login ok ....

cacthanh123 from Viet Nam
 
Back
Top