[Bug]: PASV gives wrong port to client - logs show correct information.

[mrforsythexeter]

⚠️ This issue respects the following points: ⚠️

• This is a bug, not a question or a configuration issue.
• This issue is not already reported on Github (I've searched it).

Bug description

The "response" issued to the FTP client doesn't match the internal SFTPgo logs for the PASV response (see logs below)

Port as shown as a response in FZ is 231*256+125=59261

Port as shown in SFTPgo Logs 195*256+139 = 50059

Port issued from SFTP logs is valid and correct, port show in FZ as the response (also telnet) is not valid for the passive port range.

Steps to reproduce

1. docker setup latest
2. configure passive port range 50000-50100
3. try and connect without TLS

Expected behavior

Response given to the client to match what is shown in the logs.

SFTPGo version

2.6.4 386448e

Data provider

Me?

Installation method

Community Docker image

Configuration

Passive Port Range 50000-50100
Fixed Passive external IP address (issued correctly via logs and shown correct in FZ)

Relevant log output

Using FileZilla as a client, but seen the same in telnet.

(!! IP changed for security)
Command:	CWD /
Response:	250 CD worked on /
Command:	TYPE I
Response:	200 Type set to binary
Command:	PASV
Response:	227 Entering Passive Mode (255,255,227,215,231,125)

Logs from SFTPgo
{"level":"debug","time":"2024-12-29T21:56:35.386","sender":"ftpserverlib","server_id":"FTP_0","clientId":"12","line":"PASV","message":"Received line"}
{"level":"debug","time":"2024-12-29T21:56:35.386","sender":"ftpserverlib","server_id":"FTP_0","clientId":"12","line":"227 Entering Passive Mode (255,255,227,215,195,139)","message":"Sending answer"}

What are you using SFTPGo for?

Professional user, 1 person business

Additional info

No response

[mrforsythexeter]

I am thinking this is the modem on that port (it must be "trying" to be clever, Dirty deep packet manipulation). Moving it to a different port on the NAT, doesn't seem to have this effect.

[drakkan]

I am thinking this is the modem on that port (it must be "trying" to be clever, Dirty deep packet manipulation). Moving it to a different port on the NAT, doesn't seem to have this effect.

Yes, it is unlikely that this is an issue in SFTPGo, it would affect all users.

[it5c0z1mG]

Just updated, now have this issue on unraid, unraid locks port 21 so have to manipulate to make it work, please revert or correct last change.

[mrforsythexeter]

@it5c0z1mG I happened to be running this on unraid as well (in docker). However this was my mistake. for the 'SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP' or 'Passive Mode IP:' I had set our external IP address. When the NAT on the firewall / modem inspected this, it didn't know what to do, so failed to give a port correctly.

On further investigation I knew I had, had a vsftpd server working fine within the same office space, and passive.

So I changed SFTPGO_FTPD__BINDINGS__0__FORCE_PASSIVE_IP to the IP of the unraid server (internal) as I was using the bridge network. This allowed the modem's NAT to function correct and not mess with PASV command more than needed.

If you are using a macvlan with docker, then set it to the IP of the docker machine (don't set it to your 172 usual docker space).

I hope this helps.

[it5c0z1mG]

@mrforsythexeter yes i have this set with internal ip and its worked flawlessly for months vut since update i cannot access from outside my local network, error i keep getting is

, "sender": "common", "connection_id": "FTP 0_4", "message": "connection swapped, close fs error:

[mrforsythexeter]

Have you tried connecting via FileZilla (externally if your source system is external) and tracing / reviewing the logs. I did this as a first step, after this, I was able to replay / test the commands via a telnet session to understand where it broke.

Also, anything else changed, new router, router firmware updated, different internet connection either side, updates, Are you using TLS, has your certificate expired?