Dat Head
2014-07-23 22:03:05 UTC
we have been using proftpd 1.3.4a for quite some time now and never could
get ipv6 to work correctly, so decided to upgrade to 1.3.5 and still it
doesn't work
if in hosts.allow i put this (not what we want) it works fine:
proftpd: ALL
if i put this it works to localhost (ipv4) only:
proftpd: 127.0.0.1 [::1]
if i put this nothing works:
proftpd: [::1] 127.0.0.1
this is just a simplified breakdown to try and debug, so basically what i'm
seeing is any time wrap2 encounters a v6 addr anything including it AND
AFTER it fails (any v4 BEFORE it works ok)
doesn't work w/o the square brackets either (we have to use them for all
other services in hosts.allow so figure libwrap uses them and the other
services
work ok with v6)
Connected to ::1 (::1).
220 ::1 FTP server ready
331 Anonymous login ok, send your complete email address as your password
530 Access denied <=== I imagine this is from wrap2
Login failed.
421 Service not available, remote server has closed connection
setting debug level to 10 doesn't show me anything more than at level 0
which is:
014-07-23 21:40:00,312 foobar.com proftpd[10885] : FTP session opened.
2014-07-23 21:40:00,314 foobar.com proftpd[10885] : FTP session closed.
this is what I have in proftpd.conf:
## wrap2 - note: wrap(1) denies hosts that don't reverse DNS lookup, so
have to use wrap2
LoadModule mod_wrap2.c
LoadModule mod_wrap2_file.c
WrapEngine on
# wraplog is verbose, only use for debugging
WrapLog /var/log/proftpd-wrap2.log
WrapTables file:/etc/hosts.allow file:/etc/hosts.deny
and this is what is in proftpd-wrap2.log:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table daemon list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: proftpd
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table client list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: 127.0.0.1
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: [
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table options list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: :1]
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: daemon matches 'proftpd'
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: bad IPv6 address syntax: '['
*** doesn't work w/o the [ ] either ***
there is no doc for wrap2, just wrap and it is very brief
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: checking deny table rules
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table daemon list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: ALL
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table client list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: ***@ALL
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: daemon matches 'ALL'
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: client matches '***@ALL'
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: 'UseReverseDNS off' in
effect, NOT resolving ::1 to DNS name for comparison
2014-07-23 21:45:32,133 mod_wrap2/2.0.6[11109]: refused connection from
anonymous@::1
it looks like here it is mis-parsing?:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: [
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table options list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: :1]
get ipv6 to work correctly, so decided to upgrade to 1.3.5 and still it
doesn't work
if in hosts.allow i put this (not what we want) it works fine:
proftpd: ALL
if i put this it works to localhost (ipv4) only:
proftpd: 127.0.0.1 [::1]
if i put this nothing works:
proftpd: [::1] 127.0.0.1
this is just a simplified breakdown to try and debug, so basically what i'm
seeing is any time wrap2 encounters a v6 addr anything including it AND
AFTER it fails (any v4 BEFORE it works ok)
doesn't work w/o the square brackets either (we have to use them for all
other services in hosts.allow so figure libwrap uses them and the other
services
work ok with v6)
Connected to ::1 (::1).
220 ::1 FTP server ready
331 Anonymous login ok, send your complete email address as your password
530 Access denied <=== I imagine this is from wrap2
Login failed.
421 Service not available, remote server has closed connection
setting debug level to 10 doesn't show me anything more than at level 0
which is:
014-07-23 21:40:00,312 foobar.com proftpd[10885] : FTP session opened.
2014-07-23 21:40:00,314 foobar.com proftpd[10885] : FTP session closed.
this is what I have in proftpd.conf:
## wrap2 - note: wrap(1) denies hosts that don't reverse DNS lookup, so
have to use wrap2
LoadModule mod_wrap2.c
LoadModule mod_wrap2_file.c
WrapEngine on
# wraplog is verbose, only use for debugging
WrapLog /var/log/proftpd-wrap2.log
WrapTables file:/etc/hosts.allow file:/etc/hosts.deny
and this is what is in proftpd-wrap2.log:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table daemon list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: proftpd
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table client list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: 127.0.0.1
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: [
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table options list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: :1]
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: daemon matches 'proftpd'
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: bad IPv6 address syntax: '['
*** doesn't work w/o the [ ] either ***
there is no doc for wrap2, just wrap and it is very brief
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: checking deny table rules
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table daemon list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: ALL
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table client list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: ***@ALL
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: daemon matches 'ALL'
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: client matches '***@ALL'
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: 'UseReverseDNS off' in
effect, NOT resolving ::1 to DNS name for comparison
2014-07-23 21:45:32,133 mod_wrap2/2.0.6[11109]: refused connection from
anonymous@::1
it looks like here it is mis-parsing?:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: [
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: table options list:
2014-07-23 21:45:32,038 mod_wrap2/2.0.6[11109]: :1]