FTP user folder selection

[Jelle458]

I just set up a truenas core (TrueNAS-13.0-U5.3) which is virtualized using ESXi. I already have the SSD's for the storage behind a storage controller running RAID 5, but I still added 2 storage drives and running them in stripe. I figured it doesn't matter as the actual storage is already in RAID 5. This is my first time with truenas, and the guide for setting up wanted 2 hard drives.

The only reason I am doing it is because I want an FTP server running on it's own VM, and both Windows and Linux options didn't work for me (constant timeout or crashing of FTP server) so I turned to a NAS OS that can do it.

Truenas does it, and I got it working. I added some users and they can access the created pool, all is well.

However what I don't understand is why, when connected to the FTP I get files which has no names, but with extensions like ".login" ".profile" ".cshrc". I'm guessing these are files used for the user.

Am I able to set another folder, where all my users access, and don't see these files? All my users will have write permission and it wouldn't be good if these files were deleted I think.
I have backup of the data also, and planning to do some snapshots setup later, I am still setting everything up, and I won't be worried if users delete data they shouldn't, except for the profile files of course.

My pool is /mnt/FTP and for now my user is just ftpuser. Directory for ftpuser is /mnt/FTP/ftpuser. I tried to create a new dataset under the pool I have created, and I called it "ftp" (with small letters). Setting directory for ftpuser to this gets me the same files when I logon to the FTP server with this username.

Is this possible at all?

 

[artlessknave]

I already have the SSD's for the storage behind a storage controller running RAID 5

NO. if you are putting truenas storage on RAID please turn around and rethink your life choices.
you need to some serious reading as what you have described is planning to fail.

".login" ".profile" ".cshrc".

these are names. "extensions" is a windows term to make file types easier to see - and then MS hides them by default from users. any valid character is a valid file name.
these, specifically, are hidden files used to set user profile preferences, that would normally only be visiable with ls -a.

you can set which directory users will start in and which they have access to with FTP (I don't know it well)


for what purpose are you using ESX instead of just truenas?

if linux is crashing, something else is very wrong. a linux vm running FTP should not have issues whatsoever.

something like openmediavault would be a better choice

 

[Jelle458]

Thanks for your answer and time, I appreciate it. This is not my first time with virtualization or server configuration, but it is my first time with Truenas.

NO. if you are putting truenas storage on RAID please turn around and rethink your life choices.
you need to some serious reading as what you have described is planning to fail.

I am putting it behind a RAID because Truenas isn't running bare metal. I have a RAID controller running RAID 5 which is used as datastore for ESXi. I have no other way to get RAID working as ESXi doesn't have built in RAID, nor does it have ZFS. My understanding is that this is how you use ESXi.
The data is not super important, it will be constantly rotating, and nothing mission-critical.

these are names. "extensions" is a windows term to make file types easier to see - and then MS hides them by default from users. any valid character is a valid file name.
these, specifically, are hidden files used to set user profile preferences, that would normally only be visiable with ls -a.

It would be nice to hide these files then. I didn't do ls -a. I log onto the FTP server using port 21, and I set passive ports to 5000 - 10000. When I get into the ftp folder I see these files. I guessed they were profile settings, and I'd like to hide them from the FTP folder. I used filezilla as FTP client, and it works from the outside.

you can set which directory users will start in and which they have access to with FTP (I don't know it well)

This is what I wanted to do. Select a different folder for all my users to connect to, so they don't see one users profile settings files, and possibly delete those. I bet if I delete them they'd come back, but if I could set an empty folder that would help a lot.
All users should see the same folder, and is just used to share some files. The backup is somewhere else so if users delete something they shouldn't I am also not worried about that.

for what purpose are you using ESX instead of just truenas?

I want to run various virtual machines on one server, and since I don't know truenas I started out with ESXi because I have experience with this.

if linux is crashing, something else is very wrong. a linux vm running FTP should not have issues whatsoever.

I tried to install Windows in a vm and set up FTP server. I used Windows 10 Pro. I found guides for FileZilla server, followed them to-the-letter, and I am unable to connect even through LAN.
I also found a guide to use Window's built-in FTP server. Again using this guide to-the-letter and I can't connect, timeout on connection.
Then I tried to install ubuntu on a vm, and I found a guide for setting up vsftpd. Again I followed the guide to-the-letter. Copy-pasting in commands and creating the same user as in the guide. End result was systemctl status vsftpd said "failed", and I could not connect to the FTP, again timeout.
I then wanted to install Qnap QTS for FTP server (becoming desperate), but the installation I found was for vmware workstation, not ESXi so the boot file didn't work.
Then I ended up on Truenas, because I just wanted that damn FTP server running. And with Truenas the FTP came right on up, and forwarding ports working just fine and I can now connect to it from the outside. I just need to get rid of those profile files and I'm golden.

something like openmediavault would be a better choice

I have never heard of openmediavault before. Maybe it's a better choice, but if I run into the same "problem" then it's a bit moot. I am where I want to be, just need to connect to a different folder which doesn't contain user settings.

 

[sretalla]

In FTP settings, is the "always chroot" box ticked? if so, perhaps try removing that tick.

 

[Jelle458]

In FTP settings, is the "always chroot" box ticked? if so, perhaps try removing that tick.

Removing the tick made the ftpuser account able to access the root directory. Can I force one directory for all users, so they can't access anything else?

 

[sretalla]

Under the Service configuration, in the Advanced Options | Auxiliary Parameters, put this text:

Code:

<Directory />
  HideFiles ^\.
</Directory>

 

[sretalla]

Removing the tick made the ftpuser account able to access the root directory. Can I force one directory for all users, so they can't access anything else?

Use the chroot tick, but with the advanced option I mention above to remove the .xyz files

 

[Jelle458]

Use the chroot tick, but with the advanced option I mention above to remove the .xyz files

And just like that I have an empty folder like I wanted. Thank you!

 

[Jelle458]

I am unable to edit my previous post, but I forgot to add a bonus question:

When connecting from the outside using filezilla, it wouldn't let me connect before I set min and max port for passive mode, and forwarded those ports to the internal IP address.
But when I connect using filezilla now, it does work, but I think I have some setup issue as I am getting the error:

Server sent passive reply with unroutable address. Using server address instead.

I don't get this error when connecting locally. I did read about this, and I think I need to put my WAN IP somewhere in Truenas so it doesn't tell Filezilla client to try and connect to the local address when from the outside.

Does anyone know? Maybe it's just a matter of forwarding other ports, only 21 and 5000:10000 are forwarded.
I don't have a certificate, and I didn't enable TLS.

 

[sretalla]

I did read about this, and I think I need to put my WAN IP somewhere in Truenas so it doesn't tell Filezilla client to try and connect to the local address when from the outside.

Maybe try putting that int the masquerade address in the settings?

 

[Jelle458]

Maybe try putting that int the masquerade address in the settings?

Doing this worked great! The connection is now made extremely fast and it just works.

However now I am unable to connect locally:

Status: Connecting to 192.168.1.105:21...
Status: Connection established, waiting for welcome message...
Status: Insecure server, it does not support FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is the current directory
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (X,X,X,X,38,131).
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing

I'm guessing because of no reverse DNS. Is there a way to solve this?

 

[sretalla]

I'm guessing because of no reverse DNS. Is there a way to solve this?

I guess we're now getting into the area of virtual servers being needed in the config (where you define fqdns for a remote server and how to connect based on each fqdn)... I'm afraid I lose interest in learning about the topic at that point, so I would direct you to the proftpd documentation to work that one out.

It may be that you just need a router/firewall that will do loopback DNS or mdns together with your NAT in a way that makes the external IP work equally for internal clients. (pfSense calls this NAT reflection, I understand that Unifi also has the option, can't tell you what it may be called on your firewall or if it has that feature)

 

[Jelle458]

I see, it seems like a it's not just a setting somewhere. I do run pfsense on a server as the only router on the network, but I will look elsewhere for this, now that Truenas FTP is working great it is beyond the scope these forums as well I think.

Thank you very much for your help, it is greatly appreciated!

 

[sretalla]

I do run pfsense on a server as the only router on the networ

So when you say you did the port forwards, you did that via a NAT entry on pfSense?

Then you should just be able to set the NAT reflection options on that NAT config item (probably only needed for the port 21 entry).

 

[Jelle458]

Yes, I did do the forwards via Firewall -> NAT. When I activate NAT reflection "Enable (NAT + Proxy)" I get the following error:

The following input errors were detected:

• The submitted interface does not support the 'Any' destination type with enabled NAT reflection.

I did put the address to "any", that is the only way I actually got the forwarding working. Maybe you know what I can choose here?

 

[sretalla]

I did put the address to "any", that is the only way I actually got the forwarding working. Maybe you know what I can choose here?

As I understand it, you want to see WAN_ADDRESS as the destination on your NAT rules (rather than "any")... usually inbound traffic is coming to your firewall's WAN IP address (the one you entered in the masquerade address in the FTP service).

 

[artlessknave]

I have a RAID controller running RAID 5

avoiding ZFS on RAID isn't just about data integrity, itls also about not fighting with weird issues, often intermittant, for no reason other than that it was designed to fail from the start.
your mileage will vary, but if does what you want...w/e.

 

[Jelle458]

As I understand it, you want to see WAN_ADDRESS as the destination on your NAT rules (rather than "any")... usually inbound traffic is coming to your firewall's WAN IP address (the one you entered in the masquerade address in the FTP service).

This did not work. I still can't connect locally. I do not fully understand this yet so I will read up on it to figure it out, possibly ask on pfsense forums. For now if I need local access I know how to get it, so thank you very much for all your help!

ZFS on RAID isn't just about data integrity, itls also about not fighting with weird issues, often intermittant, for no reason other than that it was designed to fail from the start.
your mileage will vary, but if does what you want...w/e.

It does what I want for now, but I appreciate your inputs, something to look into if I ever want to run Truenas for something else.