The following list gives general design goals for File Transfer Protocol (FTP) port of Abilis CPX:
FTP, though usable directly by a user at a terminal, is designed mainly for use by programs.
The FTP-server port is labeled within the Abilis CPX with the acronym "FTP" and it is provided with the parameters described in this section.
Here is an example on how to show the FTP-server port parameters. Shown values are the default ones (command "d p po:ftp"):
[15:02:45] ABILIS_CPX:d p po:ftp PO:914 ------------------------------------------------------------------------ FTP LOG:NO lowpo:901 ACT:YES max-cli:4 c-port:21 d-port:20 c-sslport:990 d-sslport:989 IPSRC:* IPSRCLIST:# SEND-TOUT:30 DT:300 REJ-1024:YES SAME-IP:YES SYSDRIVES:NO MAX-PWD-FAIL:4 DELAY-PWD-FAIL:5 MAX-IP-SES:NOMAX MAX-USER-SES:2 ANONYMOUS-USER:DENY REGISTERED-USER:PERMIT
To activate changes made on the parameters displayed by low case characters, it is needed to restart the system; on the contrary for activating changes made on high case parameters it is enough to execute the initialization command INIT PO:.
You can get on-line help about the FTP server parameters by executing command: "s p po:ftp ?"
[16:40:31] ABILIS_CPX:s p po:ftp ? FTP port parameters: LOG: State changes log and alarm generation [NO, D, S, A, L, T, ALL] [+E] (D: Debug Log; S: System Log; A: Alarm view; L: Local audible alarm; T: SNMP traps; +E: Extended Log of state changes, see ref. manual) LOWPO: Lower CPX port [0..999, NONE] ACT: Operation activation [NO, YES] MAX-CLI: Number of FTP clients [1-255] C-PORT: TCP port for incoming control connections [21] D-PORT: TCP port for outgoing data connections [20] C-SSLPORT: TCP port for incoming SSL control connections [990] D-SSLPORT: TCP port for outgoing SSL data connections [20] IPSRC: Incoming requests: accepted source IP address [*, 1-126.x.x.x, 128-223.x.x.x] IPSRCLIST: Incoming requests: name of the IP/IR/RU/MR list for source IP address acceptance [#, 0..9, a..z, A..Z, _] SEND-TOUT: Send time-out [30..3600 sec.] DT: Inactivity time-out [30..3600 sec.] REJ-1024: Refuse active data connections to client's ports lower then 1024 [NO, YES] SAME-IP: Limit data commection to the same IP of the control connection [NO, YES] SYSDRIVES: Allow creating a /sysdrive/ virtual directory with <drive> subdirs [NO, YES] MAX-PWD-FAIL: Maximum number of password attempts [1-255] DELAY-PWD-FAIL: Delay after failed PASS command [1-255 sec.] MAX-IP-SES: Limits number of simultaneous CONTROL connections that can be established from a client's IP address [NOMAX, 1..255] MAX-USER-SES: Limits number of simultaneous CONTROL connections that a user can establish from the SAME IP with the SAME USER login [NOMAX, 1..255] ANONYMOUS-USER: Permit/deny anonymous log-in [DENY, PERMIT] REGISTERED-USER: Permit/deny log-in of registered users [DENY, PERMIT]
LOG: | Events logging activation and generation of alarm signals |
DS | NO, D, S, A, L, T, ALL, +E |
Usually this parameter makes possible to activate/deactivate logging functionalities of meaningful events of the port as well as the detection and signalling of alarms in case of critical events.
The following table shows the available options and the related functionalities usable by the parameter:
Option | Meaning |
---|---|
D | Recording of the driver state changes and/or the meaningful events in Debug Log |
S | Recording of the driver state changes and/or the meaningful events in the System Log |
A | Periodic detection of possible alarms. The detected alarms can be displayed the command ALARM VIEW or by the analogous command available on the UTILITY of the LCD display on the front panel |
L | On alarm detection, acoustic signal generation plus a message on the LCD display. This function depends on activation of alarms detection by the "A" option |
T | Generation by the Agent SNMP of Abilis CPX of SNMP traps corresponding to any change of the driver state and/or occurring of meaningful events |
Beside the already described options the following values are also allowed:
Option | Meaning |
---|---|
NO | It means that all the logging functionalities, alarms detection and generation, above mentioned, are disabled. |
ALL | It means that all the logging functionalities, alarms detection and generation, above mentioned, are enabled. |
+E | This option added to one or more of the previous ones, extends its (their) set of meaningful events. The value "ALL+E" activates all the options and extends the set of meaningful events. The value "NO+E" is meaningless so it is ignored. |
Options can be combined together.
Some examples:
By using the characters "+" and "-" as prefix of one or more options is possible to add or delete one or more functionalities without setting from the scratch the value of the parameters.
Some examples:
The changes made on this parameter are immediately activated, without the need of initialization commands.
lowpo: | Lower CPX port number |
NONE | NONE, 1 - 999 |
Lower CPX port number.
Only TCP ports are accepted..
The device management procedures COULD use this value for recursions, for example to perform a parameter check for a full drivers stack, always starting from the TOP.
ACT: | Runtime activation/deactivation of the FTP server port. |
NO | NO, YES |
NO: The port is configured, active, but it does not accept connections. The driver is not listening.
When changing from YES to NO the FTP-server cancels all the pending listens.
YES: The port is configured, active, and it accepts connections. It is listening. When changing from NO to YES the FTP server begins to listen.
max-cli: | Number of FTP clients that the module can support at once. |
4 | 1 - 255 |
Control connections exceeding this value will be rejected. Note that for every client TWO tcp sessions are needed. This value cannot be changed without CPX restart.
c-port: | FTP control connection TCP port. |
21 | 21 |
Specifies TCP port on which FTP waits for incoming connections. It is the "well known" port 21, which is currently not changeable.
d-port: | FTP data connection TCP port. |
20 | 20 |
Specifies TCP port on which FTP makes outgoing data connections. It is the "well known" port 20, which is currently not changeable
c-sslport: | FTP control SSL connection TCP port. |
990 | 990 |
Specifies TCP port on which FTP waits for incoming SSL connections. It is the "well known" port 990, which is currently not changeable.
Now it is not supported.
d-sslport: | FTP data connection TCP port. |
989 | 989 |
Specifies TCP port on which FTP makes outgoing SSL data connections. It is the "well known" port 989, which is currently not changeable.
Now it is not supported.
IPSRC: | Allowed client's IP address. |
* | *, DDN see table below |
Specifies which client's IP address is allowed to access FTP server.
HEX: | 00000000 | 01000000 - 7EFFFFFF | 80000000 - DFFFFFFF |
---|---|---|---|
DDN: | * | 1.0.0.0 - 126.255.255.255 | 128.0.0.0 - 223.255.255.255 |
The default value is *, means "any ip", so that every client IP is
allowed.
In the case that one needs to restrict the access, he has
to set in IPSRC the ip address of a client which must always have access, e.g. the IP address of the administrator console, and add
further IPs using IPSRCLIST.
This method guarantee that even in case of misconfiguration in the list referenced by IPSRCLIST, at least one client, e.g. the one of the system administrator, still have access to FTP server.
IPSRCLIST: | List of additional allowed client's IP addresses |
# | list name (0..9, a..z, A..Z), # |
Specifies additional client's IP address allowed to access FTP server. Default value is #, means "no list used", in which case the FTP server driver will not query the list service.
The value '#' is used with the meaning of "no list".
If IPSRC equal to *, the driver skips the query to the list service since "any IP" is already accepted through IPSRC.
SEND-TOUT: | Send timeout for control and data connections. |
30 | 30-3600 |
Specifies sending inactivity timeout for control and data connections. Upon timeout, a connection will be forced to close: if file transfer is in progress, then data connection is to be closed, else control connection is closed and session terminates.
DT: | Inactivity timeout for the session. |
300 | 30-3600 |
Specifies inactivity timeout for control and data connections. Traffic on either control or data connection resets the timer.
The
timeout is restarted, i.e. reset, at every in/out transfer on either
of the two sessions (control and data). It means that timeout expires when
BOTH sessions exceeded the inactivity time.
Upon timeout control connection will be forcedly closed, as well as data connection if opened.
REJ-1024: | Limitation of the data connections to client's ports lower than 1024. |
YES | NO, YES |
Refuse active data connections to client's ports lower than 1024 (client source port specified in PORT command < 1024). If this parameter is set, data ports lower than 1024 will not be accepted, protecting from a "Bounce Attack".
MAX-PWD-FAIL: | Maximal number of password attempts. |
4 | 1-255 |
Specifies maximal number of password attempts, after which a session will be disconnected, to lower the efficiency of possible brute-force attack
DELAY-PWD-FAIL: | Delay after failed PASS command. |
5 | 1-255 |
Delay appears after each failed PASS command, to lower the efficiency of possible brute-force attack
SAME-IP: | Limitation of establishment of DATA connection to the same IP of the CONTROL connection |
YES | NO, YES |
If this parameter is set, the FTP server allows to establish a DATA connection only to an IP address identical to that of the CONTROL connection. This enforces the protections when there is not need to establish the data connection to a third machine, which is the most common use we will make of the FTP server.
Valid for both active and passive modes.
SYSDRIVES: | Allow creating a /sysdrive/ virtual root path with <drive> subdirs. |
NO | NO, YES |
If this parameter is set, additional virtual root path "/sysdrive/" is created, having all system drives as its subdirectories.
MAX-IP-SES: | Limits number of simultaneous CONTROL connections that can be established from a client's IP address. |
NOMAX | NOMAX, 1 - 255 |
This parameter defines how many CONTROL connections can be established from the SAME IP address. If this parameter is set to NOMAX, number of CONTROL connections is not limited by this restriction and displayed/configured as NOMAX
MAX-USER-SES: | Limits number of simultaneous CONTROL connections that a user can establish from the SAME IP with the SAME USER login |
2 | NOMAX, 1 - 255 |
This parameter defines how many CONTROL connections can be established with the SAME USER-id from the SAME IP address. If this parameter is set to NOMAX, number of CONTROL connections is not limited by this restriction and displayed/configured as NOMAX.
ANONYMOUS-USER: | Permit/deny anonymous log-in |
DENY | DENY, PERMIT |
Enables/Disables the acceptance of anonymous log-in
REGISTERED-USER: | Permit/deny log-in of registered users (not anonymous). |
PERMIT | DENY, PERMIT |
Enables/Disables the acceptance of registered users log-in.
The Virtual root paths table allows to store up to 64 records.
Virtual paths can be individually added/set/displayed/cleared with the command:
A/S/D/C FTP PATH:<virtual path> [PHYS-PATH:<physical path>]
The whole table can be shown with the "d ftp path" command:
An example of the output is shown below
[10:01:53] ABILIS_CPX:d ftp path Parameter: |Value: ------------------------------------------------------------------------------ PATH: /pub/ PHYS-PATH: C:\USR\PUB\ ------------------------------------------------------------------------------ PATH: /pub2/ PHYS-PATH: D:\USR\PUB\ ------------------------------------------------------------------------------ PATH: /usr/ PHYS-PATH: C:\USR\ ------------------------------------------------------------------------------ PATH: /usr2/ PHYS-PATH: D:\USR\ ------------------------------------------------------------------------------
PATH: | Virtual root path |
empty | up to 32 characters (see also long file names) |
Specifies virtual root path for a directory on disk, in UNIX notation
starting and ending with a slash ("/").
Virtual path "/" cannot be accepted because "/" does never refer to physical path, it is only the "container" of virtual paths.
E.g. "/Common/" or "/usr/"
PHYS-PATH: | Physical path. |
empty | up to 128 characters (see also long file names) |
Specifies real path on disks of a directory, in DOS notation starting with a drive letter and ending with a backslash ("\"). E.g. C:\, A:\, C:\USR\TEST\.
By default the root path table contains the following entries:
Virtual root path | Real path |
---|---|
/usr/ | c:\usr\ |
/usr2/ | d:\usr\ |
/pub/ | c:\usr\pub\ |
/pub2/ | d:\usr\pub\ |
The use of c:\usr is defined in the documents describing the boot manager which has security reasons as well as system integrity. The directory d:\usr will be used in the same way.
Again for system integrity the FTP server applies the following restrictions:
Moreover:
Also you can show specified record by using "d ftp path:<virtual path>"command:
An example of the output is shown below
[19:52:40] ABILIS_CPX:d ftp path:/leo-private/ Parameter: |Value: ------------------------------------------------------------------------------ PATH: /leo-private/ PHYS-PATH: c:\usr\leo\leo-private\ ------------------------------------------------------------------------------
The service of user authentication is provided through a centralized "archive" where users are defined as well as the services to which they have access and some service-related parameters.
The centralized "User service" provides the authentication for the following services:
The RAS table that was present up to version 4.3.x has been replaces by the USER service, available through the Commands relating to Users Access Control table". Issuing any of the obsolete RAS command will produce the following warning message:
RAS SERVICE IS DEPRECATED. USE USERs ACCESS CONTROL SERVICE
The User service has a user "admin" that cannot be deleted. This user can be enabled only with a "non empty" password.
For the FTP service the HOMEDIR parameter will be managed exactly as required by FTP:
The syntax of the commands is:
a/c/s user:<user> [optional parameters] d user[:<user>|a] d usere[:<user>|a]
Display USERs table summary: "d user"
[15:45:19] ABILIS_CPX:d user USER: PASSWORD: ENABLED: PPP: FTP: HTTP: CP: ------------------------------------------------------------------------------- Leo YES YES YES YES YES Konstantin ********* YES NO YES YES NO
Display a selected entry of the USERs table: "d user:<user>"
[15:45:19] ABILIS_CPX:d user:Leo Parameter |Value ------------------------------------------------------------------------------- USER: Leo PASSWORD: ENABLED: YES PPP: YES PPP-AUTH: chap PPP-PO: ANY FTP: YES FTP-HOMEDIR: FTP-PROT: PLAIN HTTP: YES CP: YES CP-LEVEL: USER
Display all entries of the USERs table: "d user:a"
[15:45:19] ABILIS_CPX:d user:a Parameter |Value ------------------------------------------------------------------------------- USER: Leo PASSWORD: ENABLED: YES PPP: YES PPP-AUTH: chap PPP-PO: ANY FTP: YES FTP-HOMEDIR: FTP-PROT: PLAIN HTTP: YES CP: YES CP-LEVEL: USER ------------------------------------------------------------------------------- USER: Konstantin PASSWORD: ********* ENABLED: YES FTP: YES FTP-HOMEDIR: /user/konstt/ FTP-PROT: PLAIN,SSL HTTP: YES -------------------------------------------------------------------------------
If section (PPP/FTP/HTTP/CP) is disabled (set to NO) it is not
displayed.
The "extended" version of the command will display also the sections
set to NO.
The extended command is "d usere:<user> | all"
[15:45:19] ABILIS_CPX:d usere:Konstantin Parameter |Value ------------------------------------------------------------------------------- USER: Konstantin PASSWORD: ********* ENABLED: YES PPP: NO PPP-AUTH: chap PPP-PO: ANY FTP: YES FTP-HOMEDIR: /user/konstt/ FTP-PROT: PLAIN,SSL HTTP: YES CP: NO CP-LEVEL: USER -------------------------------------------------------------------------------
USER: | User name. |
empty | up to 32 of '0'-'9', 'A'-'Z', 'a'-'z', '_', ':' characters |
User name. The strings 'A' and 'ALL' are reserved for the system and cannot be used for user name value.
PASSWORD: | User password. |
empty | up to 32 of '0'-'9', 'A'-'Z', 'a'-'z', '_', ':' characters |
User password.
ENABLED: | User enable/disable flag.. |
YES | NO, YES |
User enable/disable flag.
FTP: | FTP service enable/disable flag |
NO | NO, YES |
FTP service enable/disable flag. If it is set to NO (disabled) it is not displayed.
FTP-HOMEDIR: | Starting virtual path (home) for the user |
empty | up to 128 characters (see also long file names) |
Specifies home virtual path for a user. i.e. /user/konstt/ or /system/admin/.
When the
user logs-in the FTP server will put the user in this virtual path, which
becomes the current path.
This is not a "root" path for the user, so if
user issues PWD command he will get that current path is "HOMEDIR", and not "/"
If HOMEDIR is empty the FTP driver must assume HOMEDIR=/.
If FTP flag is set to NO (disabled) FTP-HOMEDIR is not displayed.
FTP-PROT: | The user is accepted only if he is using one of the protocols specified here. |
PLAIN and SSL | PLAIN or/and SSL |
FTP server can be accessed using the PLAIN unchyphered protocol or using SSL encryption. With this parameter it is possible to limit the acceptance of the user to a specific protocol.
If FTP flag is set to NO (disabled) FTP-PROT is not displayed.
After a user is authenticated the next requirement is to gain/deny access to portions of the ftp site, this is obtained through some access control system. it is complication can very a lot, depending on specific requirements and on the underlying operating system and file system.
For controlling access to FTP (and other) resources CPX has a control system based on:
It is realized as "common service". The "access control service" has by default some authorizations, but they can be changed/removed by the user:
PATH | USER | FILE | DIR | RECUR | PROT |
---|---|---|---|---|---|
/pub/ | anonymous | r--- | l--- | yes | plain,ssl |
/pub2/ | anonymous | r--- | l--- | yes | plain,ssl |
/sysdrives/ | admin | rwdn | lcdn | yes | plain,ssl |
/usr/ | admin | rwdn | lcdn | yes | plain,ssl |
/usr2/ | admin | rwdn | lcdn | yes | plain,ssl |
Access rights for a specific virtual path can be individually added/set/displayed/cleared with the commands described in this section.
The rights are split in "file rights" and "directory rights" and are configured/viewed with two different parameters: FILE: and DIR:.
The value of these parameters are configurable in a way comparable to the CX32_LOG parameter, that is each right correspond to a character and a "+" or "-" sign is used to specify respectively "granted" or "denied". The syntax is:
FILE:[+|-R][+|-W][+|-D][+|-N] DIR:[+|-L][+|-C][+|-D][+|-N]
As a result the commands variants below are equivalent:
S FTP RIGHTS PATH:/ USER:test FILE:+R+W+D+N S FTP RIGHTS PATH:/ USER:test FILE:rwdn S FTP RIGHTS PATH:/ USER:test FILE:NdwR S FTP RIGHTS PATH:/ USER:test FILE:+D-N S FTP RIGHTS PATH:/ USER:test FILE:D-N S FTP RIGHTS PATH:/ USER:test FILE:-ND
Add path, add path and a user, add user to an existing path
Add the path only.
a ftp rights path:<virtual path> | id:<id> Add path and user: the path does not exist yet If this is too much complicated we can avoid this add "path and user" case.
a ftp rights path:<virtual path>|id:<id> [user:<user> file:<file rights> dir:<dir rights> recur:yes|no mode:plain,ssl]
Add user: the path already exists.
a ftp rights path:<virtual path>|id:<id> [user:<user> file:<file rights> dir:<dir rights> recur:yes|no mode:plain,ssl]
Set rights and the other parameters for an already existent user.
a ftp rights path:<virtual path>|id:<id> user:<user>[file:<file rights> dir:<dir rights> recur:yes|no mode:plain,ssl]
Delete an existing user. If the user is the last one the path is not deleted.
c ftp rights path:<virtual path> | id:<id> user:<user>
Display paths and users.
Display rights summary
d ftp rights
An example of the output is shown below
[09:56:29] ABILIS_CPX:d ftp rights ------------------------------------------------------------------------------ ID: PATH: USER: FILE: DIR: RECUR: PROT: ------------------------------------------------------------------------------ 1 /pub/ admin rwdn lcdn YES PLAIN,SSL anonymous r--- l--- YES PLAIN,SSL ------------------------------------------------------------------------------ 2 /pub2/ admin rwdn lcdn YES PLAIN,SSL anonymous r--- l--- YES PLAIN,SSL ------------------------------------------------------------------------------ 3 /sysdrives/ admin rwdn lcdn YES PLAIN,SSL ------------------------------------------------------------------------------ 4 /usr/ admin rwdn lcdn YES PLAIN,SSL ------------------------------------------------------------------------------ 5 /usr2/ admin rwdn lcdn YES PLAIN,SSL ------------------------------------------------------------------------------
Display rights for a specific path
d ftp rights path:<virtual path> | id:<id>
An example of the output is shown below
[19:52:40] ABILIS_CPX:d ftp rights path:/usr/pub (or id:1) ------------------------------------------------------------------------------ ID: PATH: USER: FILE: DIR: RECUR: PROT: ------------------------------------------------------------------------------ 1 /usr/pub/ anonymous r--- l--- YES PLAIN ------------------------------------------------------------------------------
Display rights that a user has on all paths. The paths for which the user is not defined are skipped.
d ftp rights user:<user>
An example of the output is shown below
[19:52:40] ABILIS_CPX:d ftp rights user:leo ------------------------------------------------------------------------------ ID: PATH: USER: FILE: DIR: RECUR: PROT: ------------------------------------------------------------------------------ 10 /usr/leo/ leo rwdn lcdn YES PLAIN,SSL ------------------------------------------------------------------------------ 50 /usr/konstantin/ leo ---- l--- YES PLAIN,SSL ------------------------------------------------------------------------------ 51 /usr/konstantin/123/ leo ---- l--- YES PLAIN,SSL ------------------------------------------------------------------------------
ID: | ID assigned to this entry and referenced by the user rights table records. |
0 | 0, 1-128 |
Specifies the ID of the virtual path for which this user right apply
PATH: | Virtual path for which one or more user rights are specified in the user rights table |
empty | up to 128 characters (see also long file names) |
Specifies the Virtual Path for which one or more user rights are specified in the user rights table, e.g. "/Common/" or "/usr/konstt/".
USER: | User to which the rights belongs. |
empty | up to 32 of '0'-'9', 'A'-'Z', 'a'-'z', '_', ':' characters |
Specifies the user for whom rights are specified.
See also user authentication service.
FILE: | Access to the file operations |
r--- | see table |
DIR: | Access to the directory operations |
l--- | see table |
RECUR: | This user's right is propagated to all the subdirectories, until one is found with "explicit" rights |
YES | YES, NO |
Specifies whether this right has to be extended to all the subdirectories, until one is found with an explicit rights definition
PROT: | Validity of this right can be made valid/invalid for a specific connection protocol. |
PLAIN and SSL | PLAIN or/and SSL |
Specifies for which connection modes (PLAIN, SSL or both) this record is applicable.
The description of FILE: and DIR: parameters values
FILE: | DIR: | ||||||
---|---|---|---|---|---|---|---|
R | W | D | N | L | C | D | N |
Read | Write | Delete | Rename | List | Create | Delete | Rename |
At these snapshots you can see CPX screens with statistics of FTP-server port after executing command D S: "d s po:ftp"
-without active FTP-connections:[15:38:27] ABILIS_CPX:d s po:ftp PO:967 ------------------------------------------------------------------------ FTP STATE:ACTIVE MAX-CLI:4 -- Clients --------|--TOT CUR---|--TOT PEAK--|--SSL CUR---|--SSL PEAK--| CONNECTED | 0| 0| 0| 0| LOGGED | 0| | 0| | DATA-SESSION | 0| 0| 0| 0| ------------------------------------------------------------------------ -- Sessions states ----------------------------------------------------- SES C-STATE C-REM C-LOC USER D-STATE D-REM D-LOC ------------------------------------------------------------------------ *** NO FTP SESSIONs *** -- Ports statistics ---------------------------------------------------- -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---| CTRL-CHR | 0| 0|CTRL-PCK | 0| 0| DATA-CHR | 0| 0|DATA-PCK | 0| 0| COMMAND | 0| |REPLY | | 0| -------------------------------------------------------------------------with two active FTP-connections:
[15:58:20] ABILIS_CPX:d s po:ftp PO:967 ------------------------------------------------------------------------ FTP STATE:ACTIVE MAX-CLI:4 -- Clients --------|--TOT CUR---|--TOT PEAK--|--SSL CUR---|--SSL PEAK--| CONNECTED | 2| 2| 0| 0| LOGGED | 2| | 0| | DATA-SESSION | 0| 0| 0| 0| ------------------------------------------------------------------------ -- Sessions states ----------------------------------------------------- SES C-STATE C-REM C-LOC USER D-STATE D-REM D-LOC ------------------------------------------------------------------------ 1 LOGGED 192.168.006.004:1066 192.168.006.010:21 admin READY 000.000.000.000:0 000.000.000.000:0 2 LOGGED 192.168.006.005:1614 192.168.006.010:21 admin READY 000.000.000.000:0 000.000.000.000:0 -- Ports statistics ---------------------------------------------------- -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---| CTRL-CHR | 241| 870|CTRL-PCK | 22| 27| DATA-CHR | 0| 187|DATA-PCK | 0| 3| COMMAND | 22| |REPLY | | 27| ------------------------------------------------------------------------
At this snapshot you can see CPX screen with statistics of FTP-server port after executing command D SE: "d se po:ftp".
[11:16:07] ABILIS_CPX:d se po:ftp PO:967 ------------------------------------------------------------------------ FTP --- Cleared 000:00:04:38 ago, on 30/12/2002 at 11:12:46 ---------------- SES C-STATE C-REM C-LOC USER D-STATE D-REM D-LOC ------------------------------------------------------------------------ 4 LOGGED 192.168.000.002:1201 192.168.000.060:21 anonymous READY 000.000.000.000:0 000.000.000.000:0 -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---| CTRL-CHR | 90| 271|CTRL-PCK | 7| 8| DATA-CHR | 0| 0|DATA-PCK | 0| 0| COMMAND | 7| |REPLY | | 8| ------------------------------------------------------------------------
The information "Cleared DDD:HH:MM:SS ago, at DD/MM/YYYY HH:MM:SS", referred by the extended statistics, shows the elapsed time from the last reset of the statistics (by the format "days:hours:minutes:seconds") and date/time of its execution (by the format "day/month/year" and "hours:minutes:seconds").
STATE: | FTP-server port state |
see table below |
Possible states of the FTP server port.
State | Description |
---|---|
INIT | FTP server port is in the init state |
INACTIVE | FTP server port is "ready" to work, but the ACT: parameter is set to "NO" |
ACTIVE | FTP server port is fully ready to work |
MAX-CLI: | Number of FTP client that FTP server can serve |
1-255 |
It showns how many client can be served simultaneously, for each of them the FTP server has reserved one session for COMMANDs and one for DATA. This counter does not make distinction between "plain" and "ssl" sessions.
It is equal to max-cli parameter.
CONNECTED: | Number of FTP control sessions which are connected |
0 - 255 |
CONNECTED TOT CUR shows the number of FTP control session which are currently connected, including those not logged-in. This counter does not make distinction between "plain" and "ssl" sessions.
It also correspond to the number of clients currently connected.
CONNECTED TOT PEAK shows the peak value of FTP control sessions that went connected at the same time, including those not logged-in. This counter is actually the maximum value ever reached by "CONNECTED TOT CUR".
CONNECTED SSL CUR shows number of SSL FTP control sessions which are connected.
As for "CONNECTED TOT CUR" but limited to SSL sessions.
CONNECTED SSL PEAK shows maximum number of SSL FTP control sessions that went connected simultaneously.
As for "CONNECTED TOT PEAK" but limited to SSL sessions.
LOGGED: | Number of FTP control sessions which are connected and logged-in |
0 - 255 |
LOGGED TOT CUR shows the number of FTP control sessions which are currently connected and for which already successfully executed the log-in. This counter does not make distinction between "plain" and "ssl" sessions.
It also correspond to the number of clients currently connected and logged-in.
LOGGED SSL CUR shows number of SSL FTP control sessions which are connected and logged-in.
As for "LOGGED TOT CUR" but limited to SSL sessions.
DATA-SESSION: | Number of FTP data sessions which are currently established |
0 - 255 |
DATA-SESSION TOT CUR shows the number of FTP data sessions which are currently established and on which the data transfer is proceeding or going to start. This counter does not make distinction between "plain" and "ssl" sessions.
It also correspond to the number of clients currently sending or receiving with the FTP server.
DATA-SESSION TOT PEAK shows maximum number of FTP-DATA sessions that were established simultaneously.
It shows the peak value of FTP data sessions that were established at the same time. This counter is actually the maximum value ever reached by
"DATA-SESSION TOT CUR".
DATA-SESSION SSL CUR shows the number of SSL FTP data sessions
which are currently established.
As for "DATA-SESSION TOT CUR" but limited to SSL sessions.
DATA-SESSION SSL PEAK shows maximum number of SSL FTP data
sessions that were established simultaneously.
As for "DATA-SESSION SSL PEAK" but limited to SSL sessions.
SESS: | Identifier of FTP session |
1 - 255 |
Unique identifier of established FTP session.
C-STATE: | State of FTP server control connection |
see table below |
Possible states of the FTP server port control connection:
State | Description |
---|---|
STOPPED | FTP session is stopped. ACT parameter is set to "NO". |
READY | FTP session is ready to work. |
CONN | FTP session is in connection state and waits USER command (user name) |
WAITPWD | FTP session waits PASS command (password) |
LOGGED | FTP user is logged in state and fully ready to work |
C-REM: | IP address and TCP port on the remote FTP client |
see table |
IP address and TCP port of the control connection on the remote FTP client.
C-LOC: | IP address and TCP port of the control connection on the local FTP server |
see table |
IP address and TCP port of the control connection on the local FTP server.
Ftp server may have been reached with any of the IP addresses of the CPX. The value
of TCP port is c-port, currently fixed to the standard value 21.
D-STATE: | State of FTP server data connection |
see table below |
Possible states of the FTP server port data connection:
State | Description |
---|---|
READY | Data connection is free and ready to work. |
LIST | Data connection sends list of the directory (full format). LIST command processing. |
NLIST | Data connection sends list of the directory (short format). NLST command processing. |
STOR | Data connection receives file from FTP client. STOR command processing. |
STOU | Data connection receives file from FTP client and stores it to the unique file on the server. STOU command processing. |
APPE | Data connection receives file from FTP client and appends it to the existent file on the server. APPE command processing. |
RETR | Data connection sends file to the client. RETR command processing. |
PASVL | Data listens TCP port to establish of passive TCP connection from remote side. PASV command processing |
D-REM: | IP address and TCP port on the remote FTP client, or on another FTP server |
see table |
IP address and TCP port of the data connection on the remote FTP client, or on another FTP server.
It is equal to 0.0.0.0:0 if data connection is in READY state (if data connection not established).
D-LOC: | IP address of the data connection on the local FTP server |
see table |
IP address of the data connection on the local FTP server.
Ftp server "data" may have been opened in PASV mode with any of the IP addresses of the CPX, or the
FTP server may have called the client from any of the router's addresses.
Usually data connections are accepted/opened with a local IP address equal to that
FTP-client established the control connection.
It is equal to 0.0.0.0:0 if data connection is in READY state (if data connection not established).
USER: | User name of the established FTP client |
up to 32 characters, ftp, anonymous |
User name of the established FTP client. Can be "anonymous" or "ftp" if anonymous clients are allowed. (ANONYMOUS-USER parameter is set to PERMIT), e.g. "konstantin", "leo", "ftp".
See also user authentication service.
CTRL-CHR: | Number of received/sent characters by FTP control session(s) |
0 - 4294967295 |
Total number of characters received (INPUT) or sent (OUTPUT) by FTP control session(s).
DATA-CHR: | Number of received/sent characters by FTP data session(s) |
0 - 4294967295 |
Total number of characters received (INPUT) or sent (OUTPUT) by FTP data session(s).
CTRL-PCK: | Number of received/sent packets by FTP control session |
0 - 4294967295 |
Total number of packets received (INPUT) or sent (OUTPUT) by FTP control session(s).
DATA-PCK: | Number of received/sent packets by FTP data session |
0 - 4294967295 |
Total number of packets received (INPUT) or sent (OUTPUT) by FTP data session(s).
COMMAND: | Number of valid FTP commands which were received by FTP control session(s) |
0 - 4294967295 |
Total number of valid FTP commands which were received by FTP control session(s) from the FTP client(s).
REPLY: | Number of FTP replies which were by FTP control session(s) |
0 - 4294967295 |
Total number of FTP replies which were sent by FTP control session(s) to the FTP client(s)
CP Layout | Variable name | Range | Description |
---|---|---|---|
IP:PORT
e.g..192.168.000.002:1201 |
IP | 0.0.0.0, 1.0.0.0 - 126.255.255.255, 128.0.0.0 - 223.255.255.255 | IP address |
PORT | 0-65535 | TCP port |
Class D and class E addresses are not supported.
You can get help information about FTP debug by executing "debug po:ftp" or "debug po:ftp lsn:0"commands.
At next snapshot you can see CPX screen with debug information of FTP-server port after executing command "debug po:ftp"
[16:02:14] ABILIS_CPX:debug po:ftp PO:967 ------------------------------------------------------------------------ FTP BufferLength:254 Date/Time:06/01/2003 16:02:39 TraceTime:<NotRunning> DEBUG PO:<FTP> LSN:0 - This help LSN:1 - Complete debug LSN:2 - Statistics LSN:3 - Session log LSN:3 CMD:CLR - Clear session log LSN:3 CMD:SES:x - Shows events only for session "x"
You can get statistic of FTP server by executing "debug po:ftp lsn:2"command.
At next snapshot you can see CPX screen with FTP server port statistic after executing command "debug po:ftp lsn:2"
[16:10:40] ABILIS_CPX:debug po:ftp lsn:2 PO:967 ------------------------------------------------------------------------ FTP BufferLength:1123 Date/Time:06/01/2003 16:10:53 TraceTime:<NotRunning> ------------------------------------------------------------------------ STATE:ACTIVE MAX-CLI:4 ------------------------------------------------------------------------ Cumulative PLAIN and SSL ------------------------------------------------------------------------ CUR-CLI-CONNECTED:0 CUR-CLI-DATA:0 CUR-CLI-LOGGED:0 PEAK-CLI-CONNECTED:2 PEAK-CLI-DATA:0 ------------------------------------------------------------------------ SSL specific ------------------------------------------------------------------------ SSL-CUR-CLI-CONNECTED:0 SSL-CUR-CLI-DATA:0 SSL-CUR-CLI-LOGGED:0 SSL-PEAK-CLI-CONNECTED:0 SSL-PEAK-CLI-DATA:0 ------------------------------------------------------------------------ --CONTROL--+---INPUT---+--OUTPUT---+----DATA---+---INPUT---+--OUTPUT---| CHR | 247 | 883 |CHR | 0 | 187 | PCK | 23 | 28 |PCK | 0 | 3 | COMMAND | 23 | | REPLY | | 28 | ------------------------------------------------------------------------
For getting information of FTP server log buffer you can execute "debug po:ftp lsn:3"command.
At next snapshot you can see CPX screen with FTP server port statistic after executing command "debug po:ftp lsn:3"
[16:07:58] ABILIS_CPX:debug po:ftp lsn:3 PO:967 ------------------------------------------------------------------------ FTP BufferLength:3743 Date/Time:06/01/2003 16:07:58 TraceTime:<NotRunning> ------------------------------------------------------------------------ 06.01 15:57:10 [1] Reply:220 Server ready 06.01 15:57:10 [1] Ctrl connection open:192.168.6.4:1066 06.01 15:57:10 [1] Command:USER admin 06.01 15:57:10 [1] Reply:331 Password required for admin 06.01 15:57:10 [1] Command:PASS admin 06.01 15:57:10 [1] Reply:230 User "admin" logged in 06.01 15:57:10 [1] User "admin" logged in. Home dir:"/" 06.01 15:57:10 [1] Command:SYST 06.01 15:57:10 [1] Reply:215 CPX Generation: 1 06.01 15:57:10 [1] Command:PWD 06.01 15:57:10 [1] Reply:257 "/" is current directory 06.01 15:57:10 [1] Command:TYPE A 06.01 15:57:10 [1] Reply:250 Type set to ASCII 06.01 15:57:10 [1] Command:PORT 192,168,6,4,4,43 06.01 15:57:10 [1] PORT command successful:192.168.6.4:1067 06.01 15:57:10 [1] Reply:200 Port command successful 06.01 15:57:10 [1] Command:LIST 06.01 15:57:10 [1] DATA open ACTIV L:192.168.6.10:20 R:192.168.6.4:1067 06.01 15:57:10 [1] Reply:150 Opening data connection for directory list 06.01 15:57:10 [1] Reply:226 Transfer complete 06.01 15:57:10 [1] Transfer complete. 65 bytes was sent 06.01 15:57:12 [1] Command:CWD sysdrives 06.01 15:57:12 [1] Reply:250 Command successful. "/sysdrives/" is current direct ory 06.01 15:57:12 [1] Current directory:"/sysdrives/" 06.01 15:57:12 [1] Command:PORT 192,168,6,4,4,44 06.01 15:57:12 [1] PORT command successful:192.168.6.4:1068 06.01 15:57:12 [1] Reply:200 Port command successful 06.01 15:57:12 [1] Command:LIST 06.01 15:57:12 [1] DATA open ACTIV L:192.168.6.10:20 R:192.168.6.4:1068 06.01 15:57:12 [1] Reply:150 Opening data connection for directory list 06.01 15:57:12 [1] Reply:226 Transfer complete 06.01 15:57:12 [1] Transfer complete. 57 bytes was sent 06.01 15:57:14 [1] Command:CDUP 06.01 15:57:14 [1] Reply:250 Command successful. "/" is current directory 06.01 15:57:14 [1] Current directory:"/" 06.01 15:57:14 [1] Command:PWD 06.01 15:57:14 [1] Reply:257 "/" is current directory 06.01 15:57:21 [1] Command:telnet 192.168.6.10 06.01 15:57:21 [1] Reply:500 Command telnet is unknown 06.01 15:57:21 [1] Command telnet is unknown 06.01 15:57:38 [1] Command:CWD sysdrives 06.01 15:57:38 [1] Reply:250 Command successful. "/sysdrives/" is current direct ory 06.01 15:57:38 [1] Current directory:"/sysdrives/" 06.01 16:00:30 [2] Reply:220 Server ready 06.01 16:00:30 [2] Ctrl connection open:192.168.6.5:1614 06.01 16:00:30 [2] Command:USER admin 06.01 16:00:30 [2] Reply:331 Password required for admin 06.01 16:00:30 [2] Command:PASS admin 06.01 16:00:30 [2] Reply:230 User "admin" logged in 06.01 16:00:30 [2] User "admin" logged in. Home dir:"/" 06.01 16:00:30 [2] Command:SYST 06.01 16:00:30 [2] Reply:215 CPX Generation: 1 06.01 16:00:30 [2] Command:PWD 06.01 16:00:30 [2] Reply:257 "/" is current directory 06.01 16:00:30 [2] Command:TYPE A 06.01 16:00:30 [2] Reply:250 Type set to ASCII 06.01 16:00:30 [2] Command:PORT 192,168,6,5,6,79 06.01 16:00:30 [2] PORT command successful:192.168.6.5:1615 06.01 16:00:30 [2] Reply:200 Port command successful 06.01 16:00:30 [2] Command:LIST 06.01 16:00:30 [2] DATA open ACTIV L:192.168.6.10:20 R:192.168.6.5:1615 06.01 16:00:30 [2] Reply:150 Opening data connection for directory list 06.01 16:00:30 [2] Reply:226 Transfer complete 06.01 16:00:30 [2] Transfer complete. 65 bytes was sent 06.01 16:02:15 [2] Command:QUIT 06.01 16:02:15 [2] Reply:221 Goodbye 06.01 16:02:15 [2] Ctrl connection close 06.01 16:02:38 [1] Inactive time-out expired 06.01 16:02:38 [1] Ctrl connection close
For getting complete debug information of FTP server (statistics and log buffer) you can execute "debug po:ftp lsn:2"command.
Also you can clear debug information from log buffer by executing "debug po:ftp lsn:3 cmd:clr"command.
For showing debug events only for FTP session x you can execute "debug po:ftp lsn:3 cmd:ses:x"command, where x specifies identifier of interesting FTP session.
Long file names may consist of any combination of letters, digits, or character values greater than 127 (0x7E).
In particular, the following special characters are ALSO allowed:
Character | ASCII Hex. value |
---|---|
$ | 0x24 |
% | 0x25 |
' | 0x26 |
- | 0x2D |
_ | 0x5F |
@ | 0x40 |
~ | 0x7E |
` | 0x60 |
! | 0x21 |
( | 0x28 |
) | 0x29 |
{ | 0x7B |
} | 0x7D |
^ | 0x5E |
# | 0x23 |
& | 0x26 |
. | 0x2E |
+ | 0x2B |
, | 0x2C |
; | 0x3B |
= | 0x2D |
[ | 0x5B |
] | 0x5D |
Also embedded spaces within file names are allowed, while leading and trailing spaces are ignored.
The following characters are NOT allowed:
Character | ASCII Hex. value |
---|---|
\ | 0x5C |
/ | 0x2F |
: | 0x3A |
* | 0x2A |
? | 0x3F |
" | 0x22 |
< | 0x3C |
> | 0x3E |
| | 0x7C |