The File Transfer Protocol (FTP) port

Revised for CPX 4.7.0.

Terminology
Summary of supported features
FTP server port configuration
FTP server virtual root paths table
Common user authentication service
FTP server virtual paths access control
FTP server port statistics
FTP server port debug information
Long file names

The following list gives general design goals for File Transfer Protocol (FTP) port of Abilis CPX:

to promote sharing of files (computer programs and/or data).
to encourage indirect or implicit (via programs) use of remote computers.
to shield a user from variations in file storage systems among hosts.
to transfer data reliably and efficiently.

FTP, though usable directly by a user at a terminal, is designed mainly for use by programs.

Terminology

Control connection

A TCP connection between Server and Client for the exchange of command and replies. It is always open during the FTP session, one can say it IS the FTP session.

Data connection

A TCP connection between Server and Client (or two Servers) for the purpose of data transfer, which can be a file listing, file, or a part of file. Modes allowing transferring several files upon one data connection are not supported.

Data type

ASCII - intended primarily for the transfer of text files. Data are in the standard 8-bit NVT-ASCII representation, with <CR><LF> specifying the end-of-line sequence.
EBCDIC - intended efficient transfer between hosts which use EBCDIC for their internal character representation. Not supported by CPX FTP.
IMAGE - also referred as Binary. The data is sent as contiguous bits packed into 8-bit bytes, and stored the same way. If both systems have 8-bit bytes (as it is practically always), this means transferring data without any changes.
LOCAL - intended for transfer between systems having identical but non-standard byte size. Not supported by CPX FTP.

Data structure

FILE - no internal file structuring is present.
RECORD - file is made of sequential records. Not supported by CPX FTP.
PAGE - file is made up of independent indexed pages. Not supported by CPX FTP

Transmission mode

STREAM - Data is transmitted as a stream of bytes. EOF is indicated by closing the data connection.
BLOCK - File is transmitted as a series of data blocks preceded by one or more header bytes. Not supported by CPX FTP.
COMPRESSED - Data is sent compressed by a RLE-like algorithm. Not supported by CPX FTP.

Active mode

Data connection is opened by FTP Server to Client, using either default port value or value explicitly specified by client (using the PORT command)

Passive mode

Data connection is opened by FTP Client to Server, using port value returned by server in reply to PASV command

User

A person or a process on behalf of a person wishing to obtain file transfer service. The human user may interact directly with a server-FTP process, but use of a user-FTP process is preferred since the protocol design is weighted towards automata.

Summary of supported features

Active and passive data connections
ASCII and BINARY data types only
No file structuring
Stream mode only
Restarting data transfer
FTP-over-SSL operation (not yet implemented)
Supported commands (in the order listed by RFC 959): USER/PASS, CWD/CDUP, REIN, QUIT, PORT, PASV, TYPE, RETR, STOR/STOU, APPE, RNFR/RNTO, ABOR, DELE, MKD/RMD, PWD, LIST, SYST, STAT, HELP, NOOP
Unsupported commands:
ACCT (no accounting system available on CPX)
SMNT (no mountable file systems)
ALLO (no disk space preallocation available)
SITE (no CPX-specific options yet defined)

FTP server port configuration

The FTP-server port is labeled within the Abilis CPX with the acronym "FTP" and it is provided with the parameters described in this section.

Here is an example on how to show the FTP-server port parameters. Shown values are the default ones (command "d p po:ftp"):

[15:02:45] ABILIS_CPX:d p po:ftp
PO:914 ------------------------------------------------------------------------
FTP    LOG:NO        lowpo:901     ACT:YES          max-cli:4
       c-port:21     d-port:20     c-sslport:990    d-sslport:989
       IPSRC:*                     IPSRCLIST:#
       SEND-TOUT:30      DT:300    REJ-1024:YES     SAME-IP:YES  SYSDRIVES:NO
       MAX-PWD-FAIL:4              DELAY-PWD-FAIL:5
       MAX-IP-SES:NOMAX            MAX-USER-SES:2
       ANONYMOUS-USER:DENY         REGISTERED-USER:PERMIT

To activate changes made on the parameters displayed by low case characters, it is needed to restart the system; on the contrary for activating changes made on high case parameters it is enough to execute the initialization command INIT PO:.

You can get on-line help about the FTP server parameters by executing command: "s p po:ftp ?"

[16:40:31] ABILIS_CPX:s p po:ftp ?

FTP port parameters:

LOG:       State changes log and alarm generation [NO, D, S, A, L, T, ALL] [+E]
           (D: Debug Log; S: System Log; A: Alarm view; L: Local audible alarm;
           T: SNMP traps; +E: Extended Log of state changes, see ref. manual)
LOWPO:     Lower CPX port [0..999, NONE]
ACT:       Operation activation [NO, YES]
MAX-CLI:   Number of FTP clients [1-255]
C-PORT:    TCP port for incoming control connections [21]
D-PORT:    TCP port for outgoing data connections [20]
C-SSLPORT: TCP port for incoming SSL control connections [990]
D-SSLPORT: TCP port for outgoing SSL data connections [20]
IPSRC:     Incoming requests: accepted source IP address
           [*, 1-126.x.x.x, 128-223.x.x.x]
IPSRCLIST: Incoming requests: name of the IP/IR/RU/MR list for source IP
           address acceptance [#, 0..9, a..z, A..Z, _]
SEND-TOUT: Send time-out [30..3600 sec.]
DT:        Inactivity time-out [30..3600 sec.]
REJ-1024:  Refuse active data connections to client's ports lower then 1024
           [NO, YES]
SAME-IP:   Limit data commection to the same IP of the control connection
           [NO, YES]
SYSDRIVES: Allow creating a /sysdrive/ virtual directory with <drive> subdirs
           [NO, YES]
MAX-PWD-FAIL:    Maximum number of password attempts [1-255]
DELAY-PWD-FAIL:  Delay after failed PASS command [1-255 sec.]
MAX-IP-SES:      Limits number of simultaneous CONTROL connections that can be
                 established from a client's IP address [NOMAX, 1..255]
MAX-USER-SES:    Limits number of simultaneous CONTROL connections that a user
                 can establish from the SAME IP with the SAME USER login
                 [NOMAX, 1..255]
ANONYMOUS-USER:  Permit/deny anonymous log-in [DENY, PERMIT]
REGISTERED-USER: Permit/deny log-in of registered users [DENY, PERMIT]

Datails of FTP server port configuration parameters

LOG:	Events logging activation and generation of alarm signals
DS	NO, D, S, A, L, T, ALL, +E

Usually this parameter makes possible to activate/deactivate logging functionalities of meaningful events of the port as well as the detection and signalling of alarms in case of critical events.

The following table shows the available options and the related functionalities usable by the parameter:

Option	Meaning
D	Recording of the driver state changes and/or the meaningful events in Debug Log
S	Recording of the driver state changes and/or the meaningful events in the System Log
A	Periodic detection of possible alarms. The detected alarms can be displayed the command ALARM VIEW or by the analogous command available on the UTILITY of the LCD display on the front panel
L	On alarm detection, acoustic signal generation plus a message on the LCD display. This function depends on activation of alarms detection by the "A" option
T	Generation by the Agent SNMP of Abilis CPX of SNMP traps corresponding to any change of the driver state and/or occurring of meaningful events

Beside the already described options the following values are also allowed:

Option	Meaning
NO	It means that all the logging functionalities, alarms detection and generation, above mentioned, are disabled.
ALL	It means that all the logging functionalities, alarms detection and generation, above mentioned, are enabled.
+E	This option added to one or more of the previous ones, extends its (their) set of meaningful events. The value "ALL+E" activates all the options and extends the set of meaningful events. The value "NO+E" is meaningless so it is ignored.

Options can be combined together.

Some examples:

setting "LOG:DS+E", activates the extended logging functions for Events Log and System Log
setting "LOG:STA", activates the extended logging functions for System Log, SNMP traps generation and periodic detection of alarm states;

By using the characters "+" and "-" as prefix of one or more options is possible to add or delete one or more functionalities without setting from the scratch the value of the parameters.

Some examples:

Suppose the current value of the parameter is "LOG:DSTA", by setting "LOG:-A", the periodic detection of eventual alarm states is removed, leaving unchanged all the remaining options; in such way the final value of the parameter will be "LOG:DST";
Suppose the current value of the parameter is "LOG:ST", by setting "LOG:+DA", the logging function of the events on the Events Log and the periodic alarm detection are added to the already activated options; in such way the final value of the parameter will be "LOG:DSTA".

The changes made on this parameter are immediately activated, without the need of initialization commands.

lowpo:	Lower CPX port number
NONE	NONE, 1 - 999

Lower CPX port number.

Only TCP ports are accepted..

The device management procedures COULD use this value for recursions, for example to perform a parameter check for a full drivers stack, always starting from the TOP.

ACT:	Runtime activation/deactivation of the FTP server port.
NO	NO, YES

NO: The port is configured, active, but it does not accept connections. The driver is not listening.
When changing from YES to NO the FTP-server cancels all the pending listens.

YES: The port is configured, active, and it accepts connections. It is listening. When changing from NO to YES the FTP server begins to listen.

max-cli:	Number of FTP clients that the module can support at once.
4	1 - 255

Control connections exceeding this value will be rejected. Note that for every client TWO tcp sessions are needed. This value cannot be changed without CPX restart.

c-port:	FTP control connection TCP port.
21	21

Specifies TCP port on which FTP waits for incoming connections. It is the "well known" port 21, which is currently not changeable.

d-port:	FTP data connection TCP port.
20	20

Specifies TCP port on which FTP makes outgoing data connections. It is the "well known" port 20, which is currently not changeable

c-sslport:	FTP control SSL connection TCP port.
990	990

Specifies TCP port on which FTP waits for incoming SSL connections. It is the "well known" port 990, which is currently not changeable.

Now it is not supported.

d-sslport:	FTP data connection TCP port.
989	989

Specifies TCP port on which FTP makes outgoing SSL data connections. It is the "well known" port 989, which is currently not changeable.

Now it is not supported.

IPSRC:	Allowed client's IP address.
*	*, DDN see table below

Specifies which client's IP address is allowed to access FTP server.

HEX:	00000000	01000000 - 7EFFFFFF	80000000 - DFFFFFFF
DDN:	*	1.0.0.0 - 126.255.255.255	128.0.0.0 - 223.255.255.255

The default value is *, means "any ip", so that every client IP is allowed.
In the case that one needs to restrict the access, he has to set in IPSRC the ip address of a client which must always have access, e.g. the IP address of the administrator console, and add further IPs using IPSRCLIST.

This method guarantee that even in case of misconfiguration in the list referenced by IPSRCLIST, at least one client, e.g. the one of the system administrator, still have access to FTP server.

IPSRCLIST:	List of additional allowed client's IP addresses
#	list name (0..9, a..z, A..Z), #

Specifies additional client's IP address allowed to access FTP server. Default value is #, means "no list used", in which case the FTP server driver will not query the list service.

The shown name of the list must be the same as the one previously defined in the table of the elements lists. The allowed types of lists are: IP addresses (IP); groups of IP addresses (IR); lists of "Rules" (RU); lists of "Master Rules" (MR).

The value '#' is used with the meaning of "no list".

If IPSRC equal to *, the driver skips the query to the list service since "any IP" is already accepted through IPSRC.

SEND-TOUT:	Send timeout for control and data connections.
30	30-3600

Specifies sending inactivity timeout for control and data connections. Upon timeout, a connection will be forced to close: if file transfer is in progress, then data connection is to be closed, else control connection is closed and session terminates.

DT:	Inactivity timeout for the session.
300	30-3600

Specifies inactivity timeout for control and data connections. Traffic on either control or data connection resets the timer.
The timeout is restarted, i.e. reset, at every in/out transfer on either of the two sessions (control and data). It means that timeout expires when BOTH sessions exceeded the inactivity time.

Upon timeout control connection will be forcedly closed, as well as data connection if opened.

REJ-1024:	Limitation of the data connections to client's ports lower than 1024.
YES	NO, YES

Refuse active data connections to client's ports lower than 1024 (client source port specified in PORT command < 1024). If this parameter is set, data ports lower than 1024 will not be accepted, protecting from a "Bounce Attack".

MAX-PWD-FAIL:	Maximal number of password attempts.
4	1-255

Specifies maximal number of password attempts, after which a session will be disconnected, to lower the efficiency of possible brute-force attack

DELAY-PWD-FAIL:	Delay after failed PASS command.
5	1-255

Delay appears after each failed PASS command, to lower the efficiency of possible brute-force attack

SAME-IP:	Limitation of establishment of DATA connection to the same IP of the CONTROL connection
YES	NO, YES

If this parameter is set, the FTP server allows to establish a DATA connection only to an IP address identical to that of the CONTROL connection. This enforces the protections when there is not need to establish the data connection to a third machine, which is the most common use we will make of the FTP server.

Valid for both active and passive modes.

SYSDRIVES:	Allow creating a /sysdrive/ virtual root path with <drive> subdirs.
NO	NO, YES

If this parameter is set, additional virtual root path "/sysdrive/" is created, having all system drives as its subdirectories.

MAX-IP-SES:	Limits number of simultaneous CONTROL connections that can be established from a client's IP address.
NOMAX	NOMAX, 1 - 255

This parameter defines how many CONTROL connections can be established from the SAME IP address. If this parameter is set to NOMAX, number of CONTROL connections is not limited by this restriction and displayed/configured as NOMAX

MAX-USER-SES:	Limits number of simultaneous CONTROL connections that a user can establish from the SAME IP with the SAME USER login
2	NOMAX, 1 - 255

This parameter defines how many CONTROL connections can be established with the SAME USER-id from the SAME IP address. If this parameter is set to NOMAX, number of CONTROL connections is not limited by this restriction and displayed/configured as NOMAX.

ANONYMOUS-USER:	Permit/deny anonymous log-in
DENY	DENY, PERMIT

Enables/Disables the acceptance of anonymous log-in

REGISTERED-USER:	Permit/deny log-in of registered users (not anonymous).
PERMIT	DENY, PERMIT

Enables/Disables the acceptance of registered users log-in.

FTP server virtual root paths table

The Virtual root paths table allows to store up to 64 records.

Virtual paths can be individually added/set/displayed/cleared with the command:

A/S/D/C FTP PATH:<virtual path> [PHYS-PATH:<physical path>]

The whole table can be shown with the "d ftp path" command:

An example of the output is shown below

[10:01:53] ABILIS_CPX:d ftp path

Parameter:   |Value:
------------------------------------------------------------------------------
PATH:         /pub/
PHYS-PATH:    C:\USR\PUB\
------------------------------------------------------------------------------
PATH:         /pub2/
PHYS-PATH:    D:\USR\PUB\
------------------------------------------------------------------------------
PATH:         /usr/
PHYS-PATH:    C:\USR\
------------------------------------------------------------------------------
PATH:         /usr2/
PHYS-PATH:    D:\USR\
------------------------------------------------------------------------------

Virtual root path table record structure

PATH:	Virtual root path
empty	up to 32 characters (see also long file names)

Specifies virtual root path for a directory on disk, in UNIX notation starting and ending with a slash ("/").
Virtual path "/" cannot be accepted because "/" does never refer to physical path, it is only the "container" of virtual paths.

E.g. "/Common/" or "/usr/"

PHYS-PATH:	Physical path.
empty	up to 128 characters (see also long file names)

Specifies real path on disks of a directory, in DOS notation starting with a drive letter and ending with a backslash ("\"). E.g. C:\, A:\, C:\USR\TEST\.

By default the root path table contains the following entries:

Virtual root path	Real path
/usr/	c:\usr\
/usr2/	d:\usr\
/pub/	c:\usr\pub\
/pub2/	d:\usr\pub\

The use of c:\usr is defined in the documents describing the boot manager which has security reasons as well as system integrity. The directory d:\usr will be used in the same way.

Again for system integrity the FTP server applies the following restrictions:

do not allow operations, for any user, in the C:\ directory different from listing and file retrieval. The whole system integrity may be compromised by writing in the C:\ directory
virtual root paths without access rights defined has a default "DENY ALL"
virtual root path /sysdrives/, created with SYSDRIVES set to YES, and if access rights are not explicitly defined for it, has a default "DENY ALL".

Moreover:

If the virtual root path references a disk directory which is not present, the virtual path will not appear in the listing to the user.
The table is kept sorted by PATH.
Virtual path "/" cannot be specified because "/" does never refer to physical path, it is only the "container" of virtual root paths.

Also you can show specified record by using "d ftp path:<virtual path>"command:

An example of the output is shown below

[19:52:40] ABILIS_CPX:d ftp path:/leo-private/

Parameter:   |Value:
------------------------------------------------------------------------------
PATH:         /leo-private/
PHYS-PATH:    c:\usr\leo\leo-private\
------------------------------------------------------------------------------

User authentication service

The service of user authentication is provided through a centralized "archive" where users are defined as well as the services to which they have access and some service-related parameters.

The centralized "User service" provides the authentication for the following services:

PPP
FTP
HTTP
CP

The RAS table that was present up to version 4.3.x has been replaces by the USER service, available through the Commands relating to Users Access Control table". Issuing any of the obsolete RAS command will produce the following warning message:

RAS SERVICE IS DEPRECATED. USE USERs ACCESS CONTROL SERVICE

The User service has a user "admin" that cannot be deleted. This user can be enabled only with a "non empty" password.

For the FTP service the HOMEDIR parameter will be managed exactly as required by FTP:

The syntax of the commands is:

a/c/s user:<user> [optional parameters]
d user[:<user>|a]
d usere[:<user>|a]

Display USERs table summary: "d user"

[15:45:19] ABILIS_CPX:d user

USER:                             PASSWORD:  ENABLED: PPP: FTP: HTTP: CP:
-------------------------------------------------------------------------------
Leo                                          YES      YES  YES  YES   YES
Konstantin                        *********  YES      NO   YES  YES   NO

Display a selected entry of the USERs table: "d user:<user>"

[15:45:19] ABILIS_CPX:d user:Leo

Parameter    |Value                           
-------------------------------------------------------------------------------
USER:         Leo                              
PASSWORD:     
ENABLED:      YES
PPP:          YES
PPP-AUTH:     chap
PPP-PO:       ANY
FTP:          YES
FTP-HOMEDIR:  
FTP-PROT:     PLAIN
HTTP:         YES
CP:           YES
CP-LEVEL:     USER

Display all entries of the USERs table: "d user:a"

[15:45:19] ABILIS_CPX:d user:a
Parameter    |Value                           
-------------------------------------------------------------------------------
USER:         Leo                              
PASSWORD:     
ENABLED:      YES
PPP:          YES
PPP-AUTH:     chap
PPP-PO:       ANY
FTP:          YES
FTP-HOMEDIR:  
FTP-PROT:     PLAIN
HTTP:         YES
CP:           YES
CP-LEVEL:     USER
-------------------------------------------------------------------------------
USER:         Konstantin                              
PASSWORD:     *********
ENABLED:      YES
FTP:          YES
FTP-HOMEDIR:  /user/konstt/
FTP-PROT:     PLAIN,SSL
HTTP:         YES
-------------------------------------------------------------------------------

If section (PPP/FTP/HTTP/CP) is disabled (set to NO) it is not displayed.

The "extended" version of the command will display also the sections set to NO.
The extended command is "d usere:<user> | all"

[15:45:19] ABILIS_CPX:d usere:Konstantin

Parameter    |Value                           
-------------------------------------------------------------------------------
USER:         Konstantin                              
PASSWORD:     *********
ENABLED:      YES
PPP:          NO
PPP-AUTH:     chap
PPP-PO:       ANY
FTP:          YES
FTP-HOMEDIR:  /user/konstt/
FTP-PROT:     PLAIN,SSL
HTTP:         YES
CP:           NO
CP-LEVEL:     USER
-------------------------------------------------------------------------------

Common user information

USER:	User name.
empty	up to 32 of '0'-'9', 'A'-'Z', 'a'-'z', '_', ':' characters

User name. The strings 'A' and 'ALL' are reserved for the system and cannot be used for user name value.

PASSWORD:	User password.
empty	up to 32 of '0'-'9', 'A'-'Z', 'a'-'z', '_', ':' characters

User password.

ENABLED:	User enable/disable flag..
YES	NO, YES

User enable/disable flag.

FTP specific user information

FTP:	FTP service enable/disable flag
NO	NO, YES

FTP service enable/disable flag. If it is set to NO (disabled) it is not displayed.

FTP-HOMEDIR:	Starting virtual path (home) for the user
empty	up to 128 characters (see also long file names)

Specifies home virtual path for a user. i.e. /user/konstt/ or /system/admin/.

When the user logs-in the FTP server will put the user in this virtual path, which becomes the current path.
This is not a "root" path for the user, so if user issues PWD command he will get that current path is "HOMEDIR", and not "/"
If HOMEDIR is empty the FTP driver must assume HOMEDIR=/.

If FTP flag is set to NO (disabled) FTP-HOMEDIR is not displayed.

FTP-PROT:	The user is accepted only if he is using one of the protocols specified here.
PLAIN and SSL	PLAIN or/and SSL

FTP server can be accessed using the PLAIN unchyphered protocol or using SSL encryption. With this parameter it is possible to limit the acceptance of the user to a specific protocol.

If FTP flag is set to NO (disabled) FTP-PROT is not displayed.

FTP server virtual paths access control table

After a user is authenticated the next requirement is to gain/deny access to portions of the ftp site, this is obtained through some access control system. it is complication can very a lot, depending on specific requirements and on the underlying operating system and file system.

For controlling access to FTP (and other) resources CPX has a control system based on:

User authenticated (see user authentication service)
Virtual path (see virtual root paths table)
Users and rights for that virtual path
By default a right is denied

It is realized as "common service". The "access control service" has by default some authorizations, but they can be changed/removed by the user:

PATH	USER	FILE	DIR	RECUR	PROT
/pub/	anonymous	r---	l---	yes	plain,ssl
/pub2/	anonymous	r---	l---	yes	plain,ssl
/sysdrives/	admin	rwdn	lcdn	yes	plain,ssl
/usr/	admin	rwdn	lcdn	yes	plain,ssl
/usr2/	admin	rwdn	lcdn	yes	plain,ssl

Access rights for a specific virtual path can be individually added/set/displayed/cleared with the commands described in this section.

The rights are split in "file rights" and "directory rights" and are configured/viewed with two different parameters: FILE: and DIR:.

The value of these parameters are configurable in a way comparable to the CX32_LOG parameter, that is each right correspond to a character and a "+" or "-" sign is used to specify respectively "granted" or "denied". The syntax is:

   FILE:[+|-R][+|-W][+|-D][+|-N]     DIR:[+|-L][+|-C][+|-D][+|-N]

The "+" sets granted right.
The "-" sets denied right.
If + or - is not specified, the value "+" is assumed, so it may be omitted.
Not specified right is left unchanged
The FILE: and DIR: values do not care of the characters' position
The FILE: and DIR: values are case insensitive

As a result the commands variants below are equivalent:

S FTP RIGHTS PATH:/ USER:test FILE:+R+W+D+N
S FTP RIGHTS PATH:/ USER:test FILE:rwdn
S FTP RIGHTS PATH:/ USER:test FILE:NdwR

S FTP RIGHTS PATH:/ USER:test FILE:+D-N
S FTP RIGHTS PATH:/ USER:test FILE:D-N
S FTP RIGHTS PATH:/ USER:test FILE:-ND

Add path, add path and a user, add user to an existing path

Add the path only.

a ftp rights path:<virtual path>  |  id:<id>

Add path and user: the path does not exist yet
If this is too much complicated we can avoid this add "path and user" case.

a ftp rights path:<virtual path>|id:<id> [user:<user> file:<file rights> dir:<dir rights> recur:yes|no mode:plain,ssl]

Add user: the path already exists.

a ftp rights path:<virtual path>|id:<id> [user:<user> file:<file rights> dir:<dir rights> recur:yes|no mode:plain,ssl]

Set rights and the other parameters for an already existent user.

a ftp rights path:<virtual path>|id:<id> user:<user>[file:<file rights> dir:<dir rights> recur:yes|no mode:plain,ssl]

Delete an existing user. If the user is the last one the path is not deleted.

c ftp rights path:<virtual path> | id:<id> user:<user>

Display paths and users.

Display rights summary

d ftp rights

An example of the output is shown below

[09:56:29] ABILIS_CPX:d ftp rights

------------------------------------------------------------------------------
ID: PATH:
       USER:                            FILE: DIR:  RECUR: PROT:
------------------------------------------------------------------------------
  1 /pub/
       admin                            rwdn  lcdn  YES    PLAIN,SSL
       anonymous                        r---  l---  YES    PLAIN,SSL
------------------------------------------------------------------------------
  2 /pub2/
       admin                            rwdn  lcdn  YES    PLAIN,SSL
       anonymous                        r---  l---  YES    PLAIN,SSL
------------------------------------------------------------------------------
  3 /sysdrives/
       admin                            rwdn  lcdn  YES    PLAIN,SSL
------------------------------------------------------------------------------
  4 /usr/
       admin                            rwdn  lcdn  YES    PLAIN,SSL
------------------------------------------------------------------------------
  5 /usr2/
       admin                            rwdn  lcdn  YES    PLAIN,SSL
------------------------------------------------------------------------------

Display rights for a specific path

d ftp rights path:<virtual path> | id:<id>

An example of the output is shown below

[19:52:40] ABILIS_CPX:d ftp rights path:/usr/pub (or id:1)

------------------------------------------------------------------------------
ID: PATH:
       USER:                            FILE: DIR:  RECUR: PROT:
------------------------------------------------------------------------------
  1 /usr/pub/
       anonymous                        r---  l---  YES    PLAIN
------------------------------------------------------------------------------

Display rights that a user has on all paths. The paths for which the user is not defined are skipped.

d ftp rights user:<user>

An example of the output is shown below

[19:52:40] ABILIS_CPX:d ftp rights user:leo

------------------------------------------------------------------------------
ID: PATH:
       USER:                            FILE: DIR:  RECUR: PROT:
------------------------------------------------------------------------------
 10 /usr/leo/
       leo                              rwdn  lcdn  YES    PLAIN,SSL
------------------------------------------------------------------------------
 50 /usr/konstantin/
       leo                              ----  l---  YES    PLAIN,SSL
------------------------------------------------------------------------------
 51 /usr/konstantin/123/
       leo                              ----  l---  YES    PLAIN,SSL
------------------------------------------------------------------------------

Virtual paths access control table record structure.

ID:	ID assigned to this entry and referenced by the user rights table records.
0	0, 1-128

Specifies the ID of the virtual path for which this user right apply

PATH:	Virtual path for which one or more user rights are specified in the user rights table
empty	up to 128 characters (see also long file names)

Specifies the Virtual Path for which one or more user rights are specified in the user rights table, e.g. "/Common/" or "/usr/konstt/".

USER:	User to which the rights belongs.
empty	up to 32 of '0'-'9', 'A'-'Z', 'a'-'z', '_', ':' characters

Specifies the user for whom rights are specified.

FILE:	DIR:
R	W	D	N	L	C	D	N
Read	Write	Delete	Rename	List	Create	Delete	Rename

FTP server port statistics

At these snapshots you can see CPX screens with statistics of FTP-server port after executing command D S: "d s po:ftp"

-without active FTP-connections:

[15:38:27] ABILIS_CPX:d s po:ftp

PO:967 ------------------------------------------------------------------------
FTP    STATE:ACTIVE            MAX-CLI:4
       -- Clients --------|--TOT CUR---|--TOT PEAK--|--SSL CUR---|--SSL PEAK--|
       CONNECTED          |           0|           0|           0|           0|
       LOGGED             |           0|            |           0|            |
       DATA-SESSION       |           0|           0|           0|           0|
       ------------------------------------------------------------------------
       -- Sessions states -----------------------------------------------------
       SES C-STATE C-REM                 C-LOC                 USER
           D-STATE D-REM                 D-LOC
       ------------------------------------------------------------------------
                             *** NO FTP SESSIONs ***
       -- Ports statistics ----------------------------------------------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       CTRL-CHR   |          0|          0|CTRL-PCK   |          0|          0|
       DATA-CHR   |          0|          0|DATA-PCK   |          0|          0|
       COMMAND    |          0|           |REPLY      |           |          0|
       ------------------------------------------------------------------------

-with two active FTP-connections:

[15:58:20] ABILIS_CPX:d s po:ftp

PO:967 ------------------------------------------------------------------------
FTP    STATE:ACTIVE            MAX-CLI:4
       -- Clients --------|--TOT CUR---|--TOT PEAK--|--SSL CUR---|--SSL PEAK--|
       CONNECTED          |           2|           2|           0|           0|
       LOGGED             |           2|            |           0|            |
       DATA-SESSION       |           0|           0|           0|           0|
       ------------------------------------------------------------------------
       -- Sessions states -----------------------------------------------------
       SES C-STATE C-REM                 C-LOC                 USER
           D-STATE D-REM                 D-LOC
       ------------------------------------------------------------------------
         1 LOGGED  192.168.006.004:1066  192.168.006.010:21    admin
           READY   000.000.000.000:0     000.000.000.000:0
         2 LOGGED  192.168.006.005:1614  192.168.006.010:21    admin
           READY   000.000.000.000:0     000.000.000.000:0
       -- Ports statistics ----------------------------------------------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       CTRL-CHR   |        241|        870|CTRL-PCK   |         22|         27|
       DATA-CHR   |          0|        187|DATA-PCK   |          0|          3|
       COMMAND    |         22|           |REPLY      |           |         27|
       ------------------------------------------------------------------------

At this snapshot you can see CPX screen with statistics of FTP-server port after executing command D SE: "d se po:ftp".

[11:16:07] ABILIS_CPX:d se po:ftp

PO:967 ------------------------------------------------------------------------
FTP    --- Cleared 000:00:04:38 ago, on 30/12/2002 at 11:12:46 ----------------
       SES C-STATE C-REM                 C-LOC                 USER
           D-STATE D-REM                 D-LOC
       ------------------------------------------------------------------------
         4 LOGGED  192.168.000.002:1201  192.168.000.060:21    anonymous
           READY   000.000.000.000:0     000.000.000.000:0
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       CTRL-CHR   |         90|        271|CTRL-PCK   |          7|          8|
       DATA-CHR   |          0|          0|DATA-PCK   |          0|          0|
       COMMAND    |          7|           |REPLY      |           |          8|
       ------------------------------------------------------------------------

The information "Cleared DDD:HH:MM:SS ago, at DD/MM/YYYY HH:MM:SS", referred by the extended statistics, shows the elapsed time from the last reset of the statistics (by the format "days:hours:minutes:seconds") and date/time of its execution (by the format "day/month/year" and "hours:minutes:seconds").

FTP server port statistics fields detailed

STATE:	FTP-server port state
	see table below

Possible states of the FTP server port.

State	Description
INIT	FTP server port is in the init state
INACTIVE	FTP server port is "ready" to work, but the ACT: parameter is set to "NO"
ACTIVE	FTP server port is fully ready to work

MAX-CLI:	Number of FTP client that FTP server can serve
	1-255

It showns how many client can be served simultaneously, for each of them the FTP server has reserved one session for COMMANDs and one for DATA. This counter does not make distinction between "plain" and "ssl" sessions.

It is equal to max-cli parameter.

Clients' statistics.

CONNECTED:	Number of FTP control sessions which are connected
	0 - 255

CONNECTED TOT CUR shows the number of FTP control session which are currently connected, including those not logged-in. This counter does not make distinction between "plain" and "ssl" sessions. It also correspond to the number of clients currently connected.
CONNECTED TOT PEAK shows the peak value of FTP control sessions that went connected at the same time, including those not logged-in. This counter is actually the maximum value ever reached by "CONNECTED TOT CUR".
CONNECTED SSL CUR shows number of SSL FTP control sessions which are connected.
As for "CONNECTED TOT CUR" but limited to SSL sessions.
CONNECTED SSL PEAK shows maximum number of SSL FTP control sessions that went connected simultaneously.
As for "CONNECTED TOT PEAK" but limited to SSL sessions.

LOGGED:	Number of FTP control sessions which are connected and logged-in
	0 - 255

LOGGED TOT CUR shows the number of FTP control sessions which are currently connected and for which already successfully executed the log-in. This counter does not make distinction between "plain" and "ssl" sessions. It also correspond to the number of clients currently connected and logged-in.
LOGGED SSL CUR shows number of SSL FTP control sessions which are connected and logged-in.
As for "LOGGED TOT CUR" but limited to SSL sessions.

DATA-SESSION:	Number of FTP data sessions which are currently established
	0 - 255

DATA-SESSION TOT CUR shows the number of FTP data sessions which are currently established and on which the data transfer is proceeding or going to start. This counter does not make distinction between "plain" and "ssl" sessions.
It also correspond to the number of clients currently sending or receiving with the FTP server.
DATA-SESSION TOT PEAK shows maximum number of FTP-DATA sessions that were established simultaneously.
It shows the peak value of FTP data sessions that were established at the same time. This counter is actually the maximum value ever reached by "DATA-SESSION TOT CUR".
DATA-SESSION SSL CUR shows the number of SSL FTP data sessions which are currently established.
As for "DATA-SESSION TOT CUR" but limited to SSL sessions.
DATA-SESSION SSL PEAK shows maximum number of SSL FTP data sessions that were established simultaneously.
As for "DATA-SESSION SSL PEAK" but limited to SSL sessions.

Sessions states

SESS:	Identifier of FTP session
	1 - 255

Unique identifier of established FTP session.

C-STATE:	State of FTP server control connection
	see table below

Possible states of the FTP server port control connection:

State	Description
STOPPED	FTP session is stopped. ACT parameter is set to "NO".
READY	FTP session is ready to work.
CONN	FTP session is in connection state and waits USER command (user name)
WAITPWD	FTP session waits PASS command (password)
LOGGED	FTP user is logged in state and fully ready to work

C-REM:	IP address and TCP port on the remote FTP client
	see table

IP address and TCP port of the control connection on the remote FTP client.

C-LOC:	IP address and TCP port of the control connection on the local FTP server
	see table

IP address and TCP port of the control connection on the local FTP server.
Ftp server may have been reached with any of the IP addresses of the CPX. The value of TCP port is c-port, currently fixed to the standard value 21.

D-STATE:	State of FTP server data connection
	see table below

Possible states of the FTP server port data connection:

State	Description
READY	Data connection is free and ready to work.
LIST	Data connection sends list of the directory (full format). LIST command processing.
NLIST	Data connection sends list of the directory (short format). NLST command processing.
STOR	Data connection receives file from FTP client. STOR command processing.
STOU	Data connection receives file from FTP client and stores it to the unique file on the server. STOU command processing.
APPE	Data connection receives file from FTP client and appends it to the existent file on the server. APPE command processing.
RETR	Data connection sends file to the client. RETR command processing.
PASVL	Data listens TCP port to establish of passive TCP connection from remote side. PASV command processing

D-REM:	IP address and TCP port on the remote FTP client, or on another FTP server
	see table

IP address and TCP port of the data connection on the remote FTP client, or on another FTP server.

It is equal to 0.0.0.0:0 if data connection is in READY state (if data connection not established).

D-LOC:	IP address of the data connection on the local FTP server
	see table

IP address of the data connection on the local FTP server.

Ftp server "data" may have been opened in PASV mode with any of the IP addresses of the CPX, or the FTP server may have called the client from any of the router's addresses.
Usually data connections are accepted/opened with a local IP address equal to that FTP-client established the control connection.

It is equal to 0.0.0.0:0 if data connection is in READY state (if data connection not established).

USER:	User name of the established FTP client
	up to 32 characters, ftp, anonymous

User name of the established FTP client. Can be "anonymous" or "ftp" if anonymous clients are allowed. (ANONYMOUS-USER parameter is set to PERMIT), e.g. "konstantin", "leo", "ftp".

Ports statistics

CTRL-CHR:	Number of received/sent characters by FTP control session(s)
	0 - 4294967295

Total number of characters received (INPUT) or sent (OUTPUT) by FTP control session(s).

DATA-CHR:	Number of received/sent characters by FTP data session(s)
	0 - 4294967295

Total number of characters received (INPUT) or sent (OUTPUT) by FTP data session(s).

CTRL-PCK:	Number of received/sent packets by FTP control session
	0 - 4294967295

Total number of packets received (INPUT) or sent (OUTPUT) by FTP control session(s).

DATA-PCK:	Number of received/sent packets by FTP data session
	0 - 4294967295

Total number of packets received (INPUT) or sent (OUTPUT) by FTP data session(s).

COMMAND:	Number of valid FTP commands which were received by FTP control session(s)
	0 - 4294967295

Total number of valid FTP commands which were received by FTP control session(s) from the FTP client(s).

REPLY:	Number of FTP replies which were by FTP control session(s)
	0 - 4294967295

Total number of FTP replies which were sent by FTP control session(s) to the FTP client(s)

Range of IP addresses / TCP port statistic parameter.
CP Layout	Variable name	Range	Description
IP:PORT e.g..192.168.000.002:1201	IP	0.0.0.0, 1.0.0.0 - 126.255.255.255, 128.0.0.0 - 223.255.255.255	IP address
IP:PORT e.g..192.168.000.002:1201	PORT	0-65535	TCP port

Class D and class E addresses are not supported.

FTP server port debug information

You can get help information about FTP debug by executing "debug po:ftp" or "debug po:ftp lsn:0"commands.

At next snapshot you can see CPX screen with debug information of FTP-server port after executing command "debug po:ftp"

[16:02:14] ABILIS_CPX:debug po:ftp

PO:967 ------------------------------------------------------------------------
FTP BufferLength:254 Date/Time:06/01/2003 16:02:39 TraceTime:<NotRunning>

DEBUG PO:<FTP>
LSN:0 - This help
LSN:1 - Complete debug
LSN:2 - Statistics
LSN:3 - Session log
LSN:3 CMD:CLR - Clear session log
LSN:3 CMD:SES:x - Shows events only for session "x"

You can get statistic of FTP server by executing "debug po:ftp lsn:2"command.

At next snapshot you can see CPX screen with FTP server port statistic after executing command "debug po:ftp lsn:2"

[16:10:40] ABILIS_CPX:debug po:ftp lsn:2

PO:967 ------------------------------------------------------------------------
FTP    BufferLength:1123   Date/Time:06/01/2003 16:10:53 TraceTime:<NotRunning>

------------------------------------------------------------------------
STATE:ACTIVE              MAX-CLI:4
------------------------------------------------------------------------
Cumulative PLAIN and SSL
------------------------------------------------------------------------
CUR-CLI-CONNECTED:0     CUR-CLI-DATA:0    CUR-CLI-LOGGED:0
PEAK-CLI-CONNECTED:2    PEAK-CLI-DATA:0
------------------------------------------------------------------------
SSL specific
------------------------------------------------------------------------
SSL-CUR-CLI-CONNECTED:0     SSL-CUR-CLI-DATA:0    SSL-CUR-CLI-LOGGED:0
SSL-PEAK-CLI-CONNECTED:0    SSL-PEAK-CLI-DATA:0
------------------------------------------------------------------------
--CONTROL--+---INPUT---+--OUTPUT---+----DATA---+---INPUT---+--OUTPUT---|
CHR        |       247 |       883 |CHR        |         0 |       187 |
PCK        |        23 |        28 |PCK        |         0 |         3 |
COMMAND    |        23 |           |
REPLY      |           |        28 |
------------------------------------------------------------------------

For getting information of FTP server log buffer you can execute "debug po:ftp lsn:3"command.

At next snapshot you can see CPX screen with FTP server port statistic after executing command "debug po:ftp lsn:3"

[16:07:58] ABILIS_CPX:debug po:ftp lsn:3

PO:967 ------------------------------------------------------------------------
FTP    BufferLength:3743   Date/Time:06/01/2003 16:07:58 TraceTime:<NotRunning>

------------------------------------------------------------------------
06.01 15:57:10 [1] Reply:220 Server ready
06.01 15:57:10 [1] Ctrl connection open:192.168.6.4:1066
06.01 15:57:10 [1] Command:USER admin
06.01 15:57:10 [1] Reply:331 Password required for admin
06.01 15:57:10 [1] Command:PASS admin
06.01 15:57:10 [1] Reply:230 User "admin" logged in
06.01 15:57:10 [1] User "admin" logged in. Home dir:"/"
06.01 15:57:10 [1] Command:SYST
06.01 15:57:10 [1] Reply:215 CPX Generation: 1
06.01 15:57:10 [1] Command:PWD
06.01 15:57:10 [1] Reply:257 "/" is current directory
06.01 15:57:10 [1] Command:TYPE A
06.01 15:57:10 [1] Reply:250 Type set to ASCII
06.01 15:57:10 [1] Command:PORT 192,168,6,4,4,43
06.01 15:57:10 [1] PORT command successful:192.168.6.4:1067
06.01 15:57:10 [1] Reply:200 Port command successful
06.01 15:57:10 [1] Command:LIST
06.01 15:57:10 [1] DATA open ACTIV L:192.168.6.10:20 R:192.168.6.4:1067
06.01 15:57:10 [1] Reply:150 Opening data connection for directory list
06.01 15:57:10 [1] Reply:226 Transfer complete
06.01 15:57:10 [1] Transfer complete. 65 bytes was sent
06.01 15:57:12 [1] Command:CWD sysdrives
06.01 15:57:12 [1] Reply:250 Command successful. "/sysdrives/" is current direct
ory
06.01 15:57:12 [1] Current directory:"/sysdrives/"
06.01 15:57:12 [1] Command:PORT 192,168,6,4,4,44
06.01 15:57:12 [1] PORT command successful:192.168.6.4:1068
06.01 15:57:12 [1] Reply:200 Port command successful
06.01 15:57:12 [1] Command:LIST
06.01 15:57:12 [1] DATA open ACTIV L:192.168.6.10:20 R:192.168.6.4:1068
06.01 15:57:12 [1] Reply:150 Opening data connection for directory list
06.01 15:57:12 [1] Reply:226 Transfer complete
06.01 15:57:12 [1] Transfer complete. 57 bytes was sent
06.01 15:57:14 [1] Command:CDUP
06.01 15:57:14 [1] Reply:250 Command successful. "/" is current directory
06.01 15:57:14 [1] Current directory:"/"
06.01 15:57:14 [1] Command:PWD
06.01 15:57:14 [1] Reply:257 "/" is current directory
06.01 15:57:21 [1] Command:telnet 192.168.6.10
06.01 15:57:21 [1] Reply:500 Command telnet is unknown
06.01 15:57:21 [1] Command telnet is unknown
06.01 15:57:38 [1] Command:CWD sysdrives
06.01 15:57:38 [1] Reply:250 Command successful. "/sysdrives/" is current direct
ory
06.01 15:57:38 [1] Current directory:"/sysdrives/"
06.01 16:00:30 [2] Reply:220 Server ready
06.01 16:00:30 [2] Ctrl connection open:192.168.6.5:1614
06.01 16:00:30 [2] Command:USER admin
06.01 16:00:30 [2] Reply:331 Password required for admin
06.01 16:00:30 [2] Command:PASS admin
06.01 16:00:30 [2] Reply:230 User "admin" logged in
06.01 16:00:30 [2] User "admin" logged in. Home dir:"/"
06.01 16:00:30 [2] Command:SYST
06.01 16:00:30 [2] Reply:215 CPX Generation: 1
06.01 16:00:30 [2] Command:PWD
06.01 16:00:30 [2] Reply:257 "/" is current directory
06.01 16:00:30 [2] Command:TYPE A
06.01 16:00:30 [2] Reply:250 Type set to ASCII
06.01 16:00:30 [2] Command:PORT 192,168,6,5,6,79
06.01 16:00:30 [2] PORT command successful:192.168.6.5:1615
06.01 16:00:30 [2] Reply:200 Port command successful
06.01 16:00:30 [2] Command:LIST
06.01 16:00:30 [2] DATA open ACTIV L:192.168.6.10:20 R:192.168.6.5:1615
06.01 16:00:30 [2] Reply:150 Opening data connection for directory list
06.01 16:00:30 [2] Reply:226 Transfer complete
06.01 16:00:30 [2] Transfer complete. 65 bytes was sent
06.01 16:02:15 [2] Command:QUIT
06.01 16:02:15 [2] Reply:221 Goodbye
06.01 16:02:15 [2] Ctrl connection close
06.01 16:02:38 [1] Inactive time-out expired
06.01 16:02:38 [1] Ctrl connection close

For getting complete debug information of FTP server (statistics and log buffer) you can execute "debug po:ftp lsn:2"command.

Also you can clear debug information from log buffer by executing "debug po:ftp lsn:3 cmd:clr"command.

For showing debug events only for FTP session x you can execute "debug po:ftp lsn:3 cmd:ses:x"command, where x specifies identifier of interesting FTP session.

Long file names

Long file names may consist of any combination of letters, digits, or character values greater than 127 (0x7E).

In particular, the following special characters are ALSO allowed:

Character	ASCII Hex. value
$	0x24
%	0x25
'	0x26
-	0x2D
_	0x5F
@	0x40
~	0x7E
`	0x60
!	0x21
(	0x28
)	0x29
{	0x7B
}	0x7D
^	0x5E
#	0x23
&	0x26
.	0x2E
+	0x2B
,	0x2C
;	0x3B
=	0x2D
[	0x5B
]	0x5D

Also embedded spaces within file names are allowed, while leading and trailing spaces are ignored.

The following characters are NOT allowed:

Character	ASCII Hex. value
\	0x5C
/	0x2F
:	0x3A
*	0x2A
?	0x3F
"	0x22
<	0x3C
>	0x3E
\|	0x7C

Print this page

RECUR:	This user's right is propagated to all the subdirectories, until one is found with "explicit" rights
YES	YES, NO

PROT:	Validity of this right can be made valid/invalid for a specific connection protocol.
PLAIN and SSL	PLAIN or/and SSL