PDA

View Full Version : ioFTPD leech issue


kathorga
04-15-2011, 01:37 PM
hey i ppl having problems with leeching using stat-l, stat-al :
[1] 501 PORT command failed: Transfer to specified network address is not allowed.

It works only with upnp unabled.
It's from external ip's, ports opened correctly

Does anyone know why?

FTPServerTools
04-15-2011, 03:03 PM
For the PORT command to work you need to allow a port command range thgough the router. ioftpd does not send upnp commands to the firewall thus it works if you set a fixed range of ports (and set the sme range in ioftpd). If you set upnp then depending on the brand of router, the fixed ports settings may be overruled.. Note, some routers do handle fixed and upnp ports together porperly...

Yil
04-15-2011, 07:24 PM
kathorga: I'm not sure you've described the problem correctly, but this should fix your problems. There are 2-3 reasons (details below) why users might have trouble transferring files. Users who use list -al transfer directory listings in the same way so they would have problems getting listings, BUT stat -al users wouldn't see a problem because the listing goes over the control connection so I don't see how they couldn't be getting listings. Stat users would just think things are fine until they tried to transfer files which might be why you think it only applies to them.

FTPServerTools brings up the point you need to make sure the PASV port range is forwarded in your router. That's necessary, but in this case it most likely isn't your problem yet.

Are you trying to connect to the server locally via a 192.168.*.* address or via 127.*.*.* and transferring in active mode using the PORT command? If so that action will be denied for security reasons. Check out the ioFTPD.ini and the Changelog for info on the 'Deny_Port_Host' feature. Simple solution is to just use PASV mode and tell your FTP client software to 'Use host IP' for the connection because if you are behind a router the HOST= settings in the .ini file should be setup to give out your external IP and not all routers forward internal packets destined for your external IP back correctly. There are several methods to FXP between two locally routed servers if that is required, search the forums/changelog for the Deny_Port_Host feature.

Most likely your problem is that the user's FTP Client trying to talk to the server isn't configured correctly. If they are using active (PORT) mode and they tell the server to connect back to them via a 192.168.* or 127.* address that is clearly wrong, it won't work. Besides the fact that it won't won't at all, it will also be rejected by the Deny_Port_Host feature because it's a security risk and will generate the error they are seeing. Just tell them to switch to PASV transfers. Otherwise they need to configure their FTP Client to send their external IP instead of their host's internal IP, and they need to probably set the port range to use locally and make sure they forward them in their router. Just using PASV mode is much easier :) Either way this is technically THEIR problem, and not yours.

zrezur
04-16-2011, 05:50 AM
Gentlemen,
I (userxxx) am trying to connect to Kathorga's FTP. I'm attaching the log from this session below.

Couple details about topology of the network:
- My computer is behind the router (82.160.XXX.XXX)
- Kathorga's ftp server is behind the router(88.199.XXX.XXX) as well.
- private ip of Kathorga's ftp server(like you can see it in the log) is 192,168,12,120.
- Admin of Kathorga's network should forward all ports from range 40000-42000 to Kathorga's server

I suspect that the forwarding of ports on the router is not working good.

What do you think?


[R] Connected to Jaqb
[R] 220 FTP Server ready.
[R] AUTH SSL
[R] 234 AUTH SSL successful.
[R] Connected. Negotiating SSL session
[R] TLSv1 negotiation successful...
[R] TLSv1 encrypted session using cipher ECDHE-RSA-AES256-SHA (256 bits)
[R] PBSZ 0
[R] 200 PBSZ 0 successful.
[R] USER userx
[R] 331 Password required for userx.
[R] PASS (hidden)
[R] 230-User userx from 82.160.XXX.XXX, welcome to our FTP server.
[R] 230-
[R] 230-ioFTPD activity:
[R] 230-
[R] 230- Users online : 2
[R] 230- Active transfers : 0
[R] 230- Uptime : 16 hours, 2 mins, 39 secs
[R] 230-
[R] 230-Enjoy your stay.
[R] 230 User userx logged in.
[R] SYST
[R] 215 UNIX Type: L8
[R] FEAT
[R] 211-Extensions supported:
[R] AUTH SSL
[R] AUTH TLS
[R] CLNT
[R] CPSV
[R] LIST -1aAdflLRsTU
[R] MDTM
[R] MDTM YYYYMMDDHHMMSS filename
[R] PBSZ
[R] PROT
[R] REST STREAM
[R] SIZE
[R] SSCN
[R] STAT -1aAdflLRsTU
[R] TVFS
[R] XCRC filename;start;end
[R] 211 END
[R] CLNT FlashFXP 4.0.0.1545
[R] 200 Noted.
[R] PWD
[R] 257 "/" is current directory.
[R] TYPE I
[R] 200 Type set to I.
[R] SIZE file.dat
[R] 213 9112575
[R] MDTM file.dat
[R] 213 20100928124632
[R] PROT P
[R] 200 Protection set to: Private.
[R] PASV
[R] 227 Entering Passive Mode (192,168,12,120,163,124)
[R] Opening data connection IP: 88.199.XXX.XXX PORT: 41852
[R] Data Socket Error: Connection refused
[R] Transfer Failed!
[R] SIZE file.dat
[R] 213 9112575
[R] MDTM file.dat
[R] 213 20100928124632
[R] PASV
[R] 227 Entering Passive Mode (192,168,12,120,157,109)
[R] Opening data connection IP: 88.199.XXX.XXX PORT: 40301
[R] Data Socket Error: Connection refused
[R] Transfer Failed!
1 File Failed

Yil
04-16-2011, 06:11 AM
I agree that it looks like a problem with port forwarding at first glance. The interesting thing to me is that you don't get a timed out connection attempt. Most home routers play dumb and drop packets they aren't set to forward rather than reject the connection so seeing the refused message isn't what I would have expected. The most likely cause of something like that is for people who have more than 1 computer behind a NAT firewall and they are forwarding the ports to the wrong computer... That usually happens because they don't set a fixed private IP like 192.168.12.10 or something and instead rely on DHCP to give them an IP address which can change over time especially if you have a wireless router.

I should also point out Kathorga's FTP really should be giving out the 88.199.x.x address when it responds to the PASV command. This is done via the HOST= setting in the .ini file. Either set it to the static external IP if you have one, or set it to a name like name.no-ip.org and use the no-ip updater to keep it updated.

kathorga
04-16-2011, 06:57 AM
Ok guys, there is my ioFTPD.ini
at HOST i tried local, extrenal and my.no-ip address, still same
Please check if rest it set up correctly.
Another friend said that fxp works pretty well without upnp enabled, leeching still not working..


###
### This is the main configuration file for ioFTPD.
### -----------------------------------------------
###
### Note from Yil:
### I've put in a number of useful pieces of information and attempted
### to document a few options as well as added some new ones. I suggest
### reading the whole thing through once before changing anything as
### details on user flags, permission matching, etc are spread throughout
### the file and are often not defined before their first use. I instead
### chose to document formats where they are first seriously used to make
### looking things up easier where your likely to make future changes.
###
### NOTE: The first 2 sections you MUST setup/examine as they include ports
### that must be forwarded in any routers/firewalls you may have...
###
###
### WARNING: ioFTPD doesn't report errors reading this configuration file
### ------- very well. Before making any changes backup this file, make
### the change, and if something isn't working right revert back
### to the known good version.
###
### Lines starting with a # or ; are considered comments. Single number
### or True/False settings can be followed with a # comment on the same line
### since only the first word is processed. Most string settings cannot
### reliably accept comments on the same line so don't add any that aren't
### already there.
###
###
### the ioFTPD FAQ can be found in the knowledge base:
### http://www.inicom.net/pages/en.ioftpd-kb.php
###
### documentation on ioFTPD is available:
### http://www.inicom.net/pages/en.ioftpd-documentation.php
###
### you can also visit the ioFTPD user's and developer's forum:
### http://www.inicom.net/forum
###
### a description of this file format is available from wikipedia:
### http://en.wikipedia.org/wiki/INI_file
###
###


################################################## #############################
################################# DEVICES #################################
################################################## #############################
#
# A device is used by a service (ftp, or http) to specify connection
# information such as which address and ports to bind to, and whether to shape
# outgoing traffic.
#
# By default, the only device is the "Any" device, configured to bind
# to all local ip addresses and to use a reasonable port range for ftp
# passive connections that you MUST forward in routers/firewalls.
#
#
# Find the case that best matches your network setup:
#
# A) You connect directly to your ISP with either a static or dynamic
# external IP address and you can see it when you look at configured
# network interfaces. I.e. the address when you look at the interface
# in My Network Places doesn't match 192.168.*.*.
# Host = 0.0.0.0
#
# B) You are behind a hardware NAT firewall such as linksys, netgear, etc
# and have a static IP address.
# Host = external-IP
#
# C) You are behind a hardware NAT firewall with a dynamic IP address and
# do not use a dynamic DNS service. See detailed notes below.
# Host = 0.0.0.0
#
# D) You are behind a hardware NAT firewall with a dynamic IP address and
# you DO use a dynamic DNS service (like the free no-ip.org, etc).
# Host = my.host.com
#
# Details:
# 1) ioFTPD uses the IP address found through the Host= line for PASV
# connections. If you happen to be behind a router and thus have a local
# IP address like 192.168.*.* using Host=0.0.0.0 will stuff your 192 addr
# into the PASV response. This is clearly wrong, but so many FTPs are
# misconfigured this way that FlashFXP v3+ and many other clients
# automatically use the IP originally used to connect to the site when
# they see this which masks the problem for most users.
# 2) Case C is best handled by just giving out the bogus 192 address and
# letting FTP clients deal with it, although I suggest you setup a
# free dynamic DNS resolver instead!
# 3) Host=name for dynamic IP address works with no-ip, etc if you avoid
# the startup race condition by making sure ioFTPD starts only after
# the update has been done and propigated. Hard to guarantee, but a
# site rehash or the next &ConfigUpdate scheduler event in 15 minutes
# or less will fix this problem so it's not too bad.
#
# IMPORTANT NOTE!!!
# -----------------
# If your server has a 192.168.* style IP address because you are behind a
# NAT firewall/router and you are connecting locally to the FTP server on
# the same machine, or from another machine behind the router then you may
# experience problems with PASV connections. This is because a properly
# configured server must reply to PASV commands using your EXTERNAL IP.
# Local connections cannot be tested for because the client may be attempting
# to FXP which requires the external address must be sent. If your router
# doesn't recognize and properly redirect attempts to talk to yourself then
# things won't work...
#
# To solve this problem simply configure the site in your FTP client to
# "Use site IP for PASV connections" (in FlashFXP it's under site->options).
# This should fix the problem for you.

# DEVICE 'Any'
[Any]

# Host=<local ip/hostname> - your external IP address if known
Host = 88.XXX.XXX.XXX

# Bind=<local ip/hostname> - Specifies a specific network interface that
# that sockets/connections should use. Shoul only be needed in rare
# situations on multi-networked computers or wierd PPoE setups, etc.
# This address is never communicated to clients directly, and Host=
# still determines the reply to use in PASV responses.
;Bind = 0.0.0.0

# A comma separated list of individual ports or port ranges (x-y) to use in
# response to PASV connection transfer requests.
# *** IF YOU ARE BEHIND A ROUTER/FIREWALL YOU MUST FORWARD/ALLOW THESE PORTS
# FOR PASSIVE FILE TRANSFERS TO WORK!!! ***
Ports = 40000-42000

# If not false then randomize the allocation of PASV ports. Should almost
# always be true.
Random = True

# This option allows you to control which ports the server uses for outgoing
# connections. If Out_Ports is undefined that means use the old default of
# Port-1 for the service (defined below) initiating the connection. However
# to avoid "Connection closed: Only one usage of each socket address
# (protocol/network address/port) is normally permitted" errors caused by the
# receiving server or FTP client not having a large enough port range you can
# specify additional local ports to use. An Out_Ports of 0 means use any
# port which for almost all cases eliminates the problem and is the new
# prefered setting unless you have a router/gateway that needs you to limit
# the outgoing ports.
# NOTE: Only the first single or range of ports is used.
Out_Ports = 0

# Max total server bandwidth to use, leave commented out for no limit
;Global_Inbound_Bandwidth = 10000
;Global_Outbound_Bandwidth = 10000
# default per client connection bandwidth, no limit if commented out
;Client_Inbound_Bandwidth = 100
;Client_Outbound_Bandwidth = 50

# List the complete FTP FEAT response line(s) you wish to suppress here
# except for the LIST/STAT commands which ignore everything after the '-'
# because the list of valid -options can now varies depending on the user.
# Since there are two MDTM lines use MDTM-- to suppress the plain MDTM line.
;Feature_Suppression =



################################################## #############################
################################ SERVICES #################################
################################################## #############################
#
# the services section is used to configure the ftp and http services.
#

#############
# FTP SETUP #
#############
[FTP_Service]
Type = FTP

# Name of "Device" configured above to bind to when listening for client
# connections.
Device_Name = Any

#-------------------------------------------------------------
# The port for people to connect to your FTP on.
# *** You MUST forward this port as well in your router!!! ***
#-------------------------------------------------------------
Port = 21
# NOTE: Port-1 will be used for all active outgoing connections if you
# need to allow these explicitly in a router.

User_Limit = 10
Allowed_Users = *
Messages = ..\text\ftp

#
# Encryption - See "Permissions" section below for syntax. The default
# allows anyone to connect to the server without TLS/SSL.
#
# To force everyone (a good idea!) to use secure connections except for
# the default ioFTPD account which is configured to only allow connections
# from the same machine as the server use
# Require_Encrypted_Auth = !-ioFTPD *
# Require_Encrypted_Data = !-ioFTPD *
#
Require_Encrypted_Auth = !*
Require_Encrypted_Data = !*

# >>>>>>>>>>>> SSL CHANGE THIS <<<<<<<<<<<<<<
#
# Name of the SSL certificate to use for this service. If at the very top
# use have a HOST= line that is anything other than 0.0.0.0 you don't need
# to explicitly set this as the server will try to load a cert with the
# specified HOST= name and if that fails it will try the default of "ioFTPD".
#
# NOTE: You can now use "site makecert" and "site removecert [name]" to
# manipulate installed certificates.
Certificate_Name = ceryfikatename

# If no certificate was found at all and this is 'True' then at startup
# try to create a new certificate automatically and load it for use.
# Default is False.
Create_Certificate = True

# If undefined or 'True' the server will respond with a clear text FTP
# greeting and users will send the 'AUTH TLS' or 'AUTH SSL' commands to
# enable encryption. If set to 'False' then assume implicit encryption which
# means negotiate TLS/SSl immediately before any text sent. You most likely
# want to leave this with the default 'True' setting.
Explicit_Encryption = True

# You can limit the TLS/SSL negotiation method to: SSL2, SSL3, or TLS.
# I strongly suggest leaving this undefined (the default) to support all 3
# methods. If you do modify this you should also consider passing the
# appropriate NO_SSLv2, NO_SSLv3, and/or NO_TLSv1 options to the library
# via the OpenSSL_Options feature below.
# WARNING: This also affects data connections to/from the service.
;Encryption_Protocol = SSL3

# You can specify any v1.0 OpenSSL option flag to modify the encryption
# library's behavior. Arguments are separated by "|" and the "SSL_OP_" prefix
# should be left off. The complete list of options is available at:
# http://www.openssl.org/docs/ssl/SSL_CTX_set_options.html
# The 2 suggested options are:
# ALL - enable all compatibility options to work around broken SSL
# implementations.
# NO_TICKET - Disable RFC4507bis tickets for stateless session resumption.
# FlashFXP disabled this because of issues with some Java SSL
# implementations so I figure we should do the same.
OpenSSL_Options = ALL|NO_TICKET

# You can control which ciphers are available. Documentation is available at:
# http://www.openssl.org/docs/apps/ciphers.html
# The default of "DEFAULT:!LOW:!EXPORT" excludes anything under 128 bits.
# NOTE: This affects both control and data connections!
OpenSSL_Ciphers = DEFAULT:!LOW:!EXPORT

# Active mode data transfers require the server to create connections to the
# user specified IP/Port. For security reasons the server should be prevented
# from connecting back to itself or initiating connections to any machine
# behind a firewall. By default the server will block access to the following
# non-routable private IP ranges: 10.* 172.16.* 192.168.* and the loopback
# interface 127.*. To disable this feature entirely just specify 0.0.0.0
# as the host to block. You may however specify a custom list of IP addresses
# or ranges using glob-style wildcards provided you don't skip any numbers
# when enumerating them via 'Deny_Port_Host_<num>'. <num> starts at 1.
;Deny_Port_Host_1 = 127.*
;Deny_Port_Host_2 = 192.168.*.*
;Deny_Port_Host_1 = 0.0.0.0

# IDNT command restricted to use by these hosts. You may list up to 10 IP
# addresses or hostnames (i.e. BNC_HOST_10) without skipping numbers.
# You may use wildcards.
;BNC_HOST_1 = 127.0.0.1

# List of "devices" configured above to use for data transfers, none means
# use Device_Name as data device.
;Data_Devices =

# Traffic Balancing: use random or round robin among configured Data_Devices
;Random_Devices = True



################################################## #############################
################################# NETWORK #################################
################################################## #############################

[Network]
# list of services (you just defined them above!) to start
Active_Services = FTP_Service

# If Ident_Timeout set to 0 the server won't send any IDENT requests,
# in which case you'll need "*@..." for all user hostmasks or you need
# to enable the Ignore_Hostmasks_Idents option.
Ident_Timeout = 5 # Set ident timeout (10)
Hostname_Cache_Duration = 1800 # Seconds cached hostname is valid
Ident_Cache_Duration = 600 # Seconds cached ident is valid (1800)

# Ignore ident portion of hostmasks. If you set this to true then the system
# will ignore any ident difference and just examine the host/IP portion of
# the hostmask.
Ignore_Hostmask_Idents = False

# To be removed from the ban list a user MUST NOT attempt to connect during
# the temp ban time else he'll just keep pushing the ban farther out...
Connections_To_Ban = 6 # 6 connections without a reset and
# IP is temp banned (5)
Ban_Counter_Reset_Interval = 60 #
Temporary_Ban_Duration = 300 # Seconds host remains banned

# Maximum time to suppress log entries for the same reason from the same IP.
# Default is 10.
;Max_Log_Suppression = 10

# Number of minutes to increase the delay between each suppressed message
# until Max_Log_Suppression is reached. Default is 1 additional minute per.
# You can now array to get 1,2,etc messages per Max_Log_Suppression window
# which with large values means you can reduce logfile spam if needed.
;Log_Suppression_Increment = 9

# this controls how often the socket bandwidth scheduling thread is run. If
# you are not limiting bandwidth then this can be disabled.
# Valid values: HIGH/NORMAL/LOW/DISABLED
Scheduler_Update_Speed = HIGH

# List of space separated wildcard IP/hosts that are immune from banning.
# NOTE: There is a difference between IP addresses and hostname masks. The
# decision about whether to reject an address for too many connection
# attempts (i.e. auto-ban) is made immediately after the connection is
# established. This means that the reverse DNS lookup to get the
# fully qualified hostname hasn't even started yet (unless a cached
# answer is still around and valid). This is usually fine since you
# obviously can't be banned on the first attempt, but if you tried 10
# connection attempts all at the same time this might result in a ban
# and rejection for some of them until the name finally resolves.
# Once the name has been resolved the next connection attempt will
# ignore and clear the temp ban.
# NOTE: 127.0.0.1 is always immune.
Immune_Hosts = 192.168.*.*


# Permission list for user's whose IP/host masks should be immune from auto-
# banning. Essentially this is the same as collecting up all the IP/host
# parts of the matching user's hostmasks and automaticaly specifying them as
# Immune_Hosts. The user list and associated IP/hosts are only updated at
# startup and rehashes.
# WARNING: just one user with *@* or something similiar (or changed to that
# later on!) will effectively turn off auto-banning and thus use of
# this option is discouraged!
;Immune_Users = I


# Requirements/rules for adding IP masks by the specified users. You can
# have up to 20 consecutive entries starting at 1 which will be processed in
# numerical order with the first satisfied rule allowing the change. If
# no rule is matched then the change is prohibited and the user shown a list
# of valid rules for them. If Secure_Ip_1 is not defined everything is
# acceptable for backwardward compatibility.
#
# Format: <ident> <type> <min-fields> <users>
# <ident> = 0 -> User ident not required (*@...)
# 1 -> User ident must be supplied (ident@...)
# <type> = 0 -> Only sets of numeric IPs allowed
# 1 -> Allow fully qualified hostnames (...@hostname)
# 2 -> Allow fully qualified hostnames that will be resolved
# at login time allowed (:ident@hostname).
# 3 -> any hostname/IP (may include wildcards OR be dynamic)
# <min-fields> = Minimum number of non-wildcard fields separated by periods.
# NOTE: A fully qualified hostname doesn't need to pass the minimum field
# test so <type>'s 1 and 2 ignore the <min-fields> argument.
#
# Master accounts can do whatever they want, but if they don't match a rule
# the log entry and status message will indicate that a "master override"
# was used.
#
# If you want to support *@* and other such things without that message
# set this rule to match M (or whoever else) accounts instead of nobody (!*).
;Secure_Ip_1 = 0 3 0 !*

# Allow *@1.2.*.* or ident@1.2.*.* or more specific style masks
;Secure_Ip_2 = 0 0 2 G1M

# Allow ident@foo.bar.com style masks
;Secure_Ip_3 = 1 1 0 G1M

# Allow dynamic :ident@foo.bar.com style masks
;Secure_Ip_4 = 1 2 0 G1M

# Allow ident@*.bar.com style masks
;Secure_Ip_5 = 1 3 2 G1M

# NOTE: Only M accounts can set *@* with these defaults


# Maximum number of worker threads to use to resolve hosts. If you raise
# this make sure to raise the number of Worker_Threads at the top of the
# file to a larger value to keep from creating/destroying threads.
Max_Resolver_Threads = 2

# If a user hostmask begins with a colon ":" and is a hostname without any
# wildcards then during the login event you can control what happens.
# undefined -> do nothing
# "NEVER" -> do nothing
# "KNOCKED" -> only do lookups if the user has successfully KNOCKED.
# "ALWAYS" -> always lookup the specified hostname
Dynamic_DNS_Lookup = ALWAYS

# If Dynamic_DNS_Lookup is set to KNOCKED/ALWAYS or you are using an external
# user module then in theory someone could watch for delayed responses to
# the login command and try to statistically determine usernames. To prevent
# this you can set this to the maximum number of seconds to randomly delay
# all responses to the login command.
;Random_Login_Delay = 5

# Set this to true to automatically disconnect connections from hosts who
# do not match any user's IP/host mask.
;Reject_Unknown_Ips = True

# When using Reject_Unknown_Ips there is no way to even get to a login prompt
# if your IP has changed. This can now be a common problem for people using
# dynamic hostmasks. The solution is a very simple knock-knock system which
# will add the knocking IP to a temporary list so you can connect.
# Knocking essentially means connecting via TCP to between 1 and 5 ports in a
# short amount of time (60 seconds per). This can easily be done in most FTP
# programs by just setting up fake ftp servers on the knock ports and trying
# to connecting in order, or by using the ioKnock GUI on windows machines.
#
# NOTE: You must connect in order! Thus using at least 3 non-sequential ports
# means a sequential port scan won't trigger the knock and produce a
# prompt on the real FTP port.
;Knock_1 = 14123
;Knock_2 = 11123
;Knock_3 = 12123

# How many elements of the dotted IP address should be obscured with * in
# the logfiles. IP=1.2.3.4 with 1 -> 1.2.3.*, 2 -> 1.2.*.*, 3 -> 1.*.*.*
# and 4 -> -hidden-.
;Obscure_IP = 2

# How many elements of the dotted hostname should be obscured with * in
# the logfiles. NAME=baz.foo.bar.com with 1 -> *.foo.bar.com, 3 -> *.*.*.com
# and if the name is totally obscured -hidden- will be shown instead.
;Obscure_Host = 1

# Log OpenSSL library errors during transfer to Debug.log. Default is false.
Log_OpenSSL_Transfer_Errors = True



################################################## #############################
################################# SECTIONS ################################
################################################## #############################

[Sections]
## Maximum of 25 different credit sections ##
#
# <alias> = <credit section #> <path>
# <alias> = <credit section #> <stats section #> <path>
# <alias> = <credit section #> <stats section #> <share section #> <path>
#
# <alias> -> name to use for this path
# <credit section #> -> section number to use for looking up user's ratio
# <stats section #> -> section number to apply up/down statistics to, if
# not defined then same as credit section.
# <share section #> -> section number to add/subtract credits, if not
# defined then same as credit section
#
# Sections are looked up one of two ways: by path or by stats section.
# In either case the first match found by processing the entries in
# the order listed is used. Thus the first path that matches the current
# directory determines the credit, stat, and share section numbers so
# more specific paths should come first. When using the cookie
# %[SectionName(#)] the <alias> field of the first line with a matching
# <stats section #> is the name used.
#
# Examples:
#
# Default = 0 0 0 *
#
# The trivial case. Just one section defined. Nice and simple.
#
# Movies = 1 1 0 /Xvid/*
# Movies = 1 1 0 /DVDR/*
# Default = 0 0 0 *
#
# This server has two sections (0-1) and shows how you can have multiple
# distinct paths be part of the same section. Notice the 0 as the third
# integer for all three entries. This means that credits for up/downloading
# are controlled by the user's section 0 credits but the ratio to apply
# varies based on the user's associated section ratio. So if the user has a
# 1:3 ratio for both section 0 and 1 it will appear as if the server isn't
# using sections at all since their credits will works the same anywhere.
# However it's possible that a user could have 1:3 ratio for section 1, and
# leech for section 0 which would mean that particular user needs credits
# for movie downloading but can grab anything else for free. The second
# integer means movie up/down transfer statistics are tracked separately
# which is particularly useful in this case with some users having leech
# on particular sections.
#
# Games = 3 2 2 /XBOX/*
# Games = 2 2 2 /Games/*
# Movies = 1 1 0 /Xvid/*
# Movies = 1 1 0 /DVDR/*
# Default = 0 0 0 *
#
# This setup defines four sections (0-3). The key here is that the "Games"
# section is actually made up of two sections that share credits distinct
# from the rest of the server and can apply different up/down ratios based
# on whether it's a PC game or and XBOX game.
#
# Games = 0 2 0 /XBOX/*
# Games = 0 2 0 /Games/*
# Movies = 0 1 0 /Xvid/*
# Movies = 0 1 0 /DVDR/*
# Default = 0 0 0 *
#
# This setup is actually a really simple case. It uses section 0 for ratio
# and credits everywhere, but tracks up/down statistics based on path.
# This can be rather useful information when viewing the userfile to
# see who up/downs where.

Default = 0 0 0 *



################################################## #############################
################################### VFS ###################################
################################################## #############################
# ioFTPD uses unix-style permissions, meaning there is a user and group id
# which determines the access rights for a file or directory. Permissions
# are specified with the standard octal numeric representation of the
# read/write/execute bits for user, group, and other.
#
# When looking at a directory listing you will see lines starting with:
#
# drwxr-xr-x 2 user group
# -rwxrwxr-x 1 user group
# ^^ ^ ^
# || | |
# || | --- permissions for everyone
# || ------ permissions for people in the same group as the file
# |--------- permissions for the owner of the file
# ---------- d for directory, - for file, l for symbolic link
#
# r = means you can read the file
# w = means you can delete/write to the file
# x = for directories means you can enter the directory.
#
# To get the numeric representation of the permission just add up the octal
# bits for each trio of permissions for owner,group, or other...
# 421
# rwx = 7
# rw- = 6
# r-x = 5
# r-- = 4
#
#
# format: <filemode> <owner uid>:<owner gid>
#

[VFS]
# The default is to give everyone just read access to all files and
# directories and set the default owner of files to the ioFTPD account.
#
# format: <filemode> <owner uid>:<owner gid>
#
Default_Directory_Attributes = 755 0:0
Default_File_Attributes = 644 0:0

# If a file is manually deleted (not wiped, but specifically deleted) then
# subtract the filesize from appropriate day, week, month, alltime transfer
# stats for the user who uploaded the file.
Modify_Stats_On_Delete = False

# The server now supports 3 modes for handling NTFS directory junctions and
# symbolic links.
# IGNORE : Treats all directories the same which means the server isn't
# aware of NTFS reparse points at all [old method].
#
# SHARE : Make the server aware of NTFS reparse points so it can just keep
# a link to the target directory instead of a completely separate
# directory listing in the dir cache. This mode also allows the
# NTFS junction/symbolic link timestamp to be updated correctly
# because it's aware that the time we are interested in is that of
# the target directory and not the reparse point itself. For
# servers with a lot of 'sorted' style links this will reduce
# memory usage. NTFS reparse points still show up in directory
# listings as plain directories. [new default for the moment]
#
# SYMLINK: This is effectively 'SHARE' mode as far as the directory cache
# itself is concerned. When displaying the directory in listings
# it should be shown as if it were an ioFTPD symbolic link to the
# target directory. To me this is the preferred way to view the
# listing, however extra processing is required to determine the
# target of the link because NTFS junctions use real directory
# paths and the server must return a VFS path just as ioFTPD
# symbolic links do. Therfore a real->symbolic path converter is
# used on the fly as the reversal is VFS mountfile dependent.
#
# NOTE: 'SYMLINK' mode has a real advantage over 'SHARE' mode. Because
# the listing is clear that you are dealing with a link and not a real
# directory you can safely and easily delete the link. In FTP clients
# like Flash, Rush, etc this results in a simple file delete and they
# won't ask permission, or try, to decend into the directory and start
# deleting it's contents so it can remove the directory itself. This
# is particularly important because doing so would remove the only
# copy of the files as they are actually in the target directory.
#
# WARNING: For the moment reverse VFS resolving used in 'SYMLINK' mode
# requires the target directory be exported in the .vfs file else
# it won't be reversible.
#
# NTFS junctions (which are a type of reparse point):
# http://en.wikipedia.org/wiki/NTFS_junction_point
# NTFS symbolic links (available on Vista+ as a type of reparse point):
# http://en.wikipedia.org/wiki/NTFS_symbolic_link
#
# IMPORTANT: If you use a script or if the server supports creating NTFS
# symbolic links in the future please see the above symbolic link
# article on how to enable the creation of symbolic links by
# regular users and non-elevated admins which is something you want
# to do for the account running ioFTPD. NTFS junctions which are
# what most scripts use don't seem to require special permissions.
#
# Windows Explorer in Window XP and before show NTFS junctions (it doesn't
# support NTFS symlinks) as regular directories. In Vista+ they show up
# the same as shell shortcuts ( .lnk files) which makes them far more useful
# since you realize you are dealing with a link and unlike ioFTPD symlinks you
# can access the target directory by simply clicking on it.
#
# IGNORE, SHARE, SYMLINK
NTFS_Reparse_Method = SYMLINK


# This safety feature only works when 'NTFS_Reparse_Method' is set to 'SHARE'
# or 'SYMLINK'. When enabled it prevents accessing files and directories that
# are not explicitly exported via the VFS file. Thus a NTFS junction/symlink
# to c:\Windows wouldn't work since it's unlikely you actually put that into a
# VFS file. This is a safety feature for use with NTFS reparse points and
# doesn't effect ioFTPD symbolic links because they already had to be valid
# VFS paths and thus resolvable via the .vfs file.
VFS_Exported_Paths_Only = True



###################
### PERMISSIONS ###
###################

# These are RAW permissions. You must have permission here to even attempt
# the indicated operation. After this check is made the finer grained
# individual file or directory based access rights are applied. Thus this
# section is for course grained access such as the entire /Incoming tree,
# or the entire /Pub directory, etc.
#

# Detailed permissions for directories:
# priviledge = <virtual path> <rights>
#
# <rights>: * -> everyone
# - -> specific user
# = -> specific group
# ! -> don't allow whatever immediately follows
# 0-9,A-Z -> Matches users who have the associated user flag
#
# NOTE: Permissions are processed from start to end and the first matching
# is used. Thus more specific rules must come before catch-alls.

# Here's an example of a generally Read Only server with a /Incoming
# directory that allows regular users (the 3 flag) to upload just
# to directories under /Incoming. If you want people to be able to
# upload anywhere just change /Incoming/* to /*.
Upload = /Incoming/* 31VM
Resume = /Incoming/* 31VM
MakeDir = /Incoming/* 31VM
RemoveDir = /Incoming/* 1VM
RemoveOwnDir = /Incoming/* 31VM
Rename = /Incoming/* 1VM
RenameOwn = /Incoming/* 31VM
Overwrite = /Incoming/* 1VM
Delete = /Incoming/* 1VM
DeleteOwn = /Incoming/* 31VM

# This defines everything else as Read Only for regular users.
Upload = /* 1VM
Resume = /* 1VM
MakeDir = /* 1VM
RemoveOwnDir = /* 1VM
RemoveDir = /* 1VM
Rename = /* 1VM
RenameOwn = /* 1VM
Delete = /* 1VM
DeleteOwn = /* 1VM

# nobody can overwrite a file, they must delete it and resend
Overwrite = /* !*
NoStats = /* !*

# nobody can modify the timestamp of files
TimeStamp = /* !*
TimeStampOwn = /* !*

# anybody can download anything...
Download = /* *

#NoFxpOut = /* *
#NoFxpIn = /* *



[Virtual_Dirs]
# <path> = [ "<perm>" ] TCL <script>
# NOTE: <path> must be absolute (start with a /) and can't be the root dir '/'
# NOTE: <perm> is an optional flag-style permission string that acts like the
# hidden/private directory feature and controls who can see the dir.
# NOTE: Virtual dir changes cannot be rehashed, you must restart the server.
# See Changelog for documentation on arguments passed to the script.
# If you use nxTools, copy the nxSearch.itcl file from the /source directory
# into the /scripts directory and uncomment this line for a simple search
# feature.
;/Search = TCL ..\scripts\nxSearch.itcl



[VFS_PreLoad]
# By default the server now preloads all the directories used as mountpoints
# in the default VFS file indicated by [Locations]/Default_Vfs. If you want
# additional directories loaded include lines here with the form:
# <depth-to-descend> = <starting-VFS-path>
# A depth of 1 just means the directory itself, 2 would be the dir and all
# its immediate subdirs, etc.

# If you wish to resolve all paths defined here using a VFS file other than
# [Locations]/Default_Vfs then define a line like "VFS = <vfs-file>".
# To completely disable preloading specify the name as 'DISABLE'.
;VFS = DISABLE

# If you wish the server to finish preloading all these directories before
# accepting connections, define the line "DELAY = TRUE". This is useful
# if you mount lots of networked folders with large fanouts and it takes
# minutes to load them all and the client would time out the initial directory
# listing. On the other hand, ioGUI will be unable to connect at startup.
;DELAY = TRUE


################################################## #############################
########################### FTP CUSTOM COMMANDS ###########################
################################################## #############################

[FTP_Custom_Commands]
# define new "site" commands here!
#
# SITE <trigger> [%^]<parameters>
#
# trigger = !file # Show file
# trigger = @string # Alias
# trigger = EXEC script.exe [<args>] # Execute file.exe with optional args
# trigger = TCL script.itcl [<args>] # Execute file.itcl with optional args
# trigger = %EXEC/TCL ... [<args>] # translate cookies found in args
# trigger = ^<parameters> # Override option: Process as above, but
# do NOT execute any built-in site
# command of the same name as trigger.
#
## Examples
# welcome = !..\text\ftp\welcome.msg
# rehash = @config rehash
# exec = EXEC ..\scripts\exec.bat
# myinfo = %TCL ..\scripts\whoami.itcl %[$user]
# cat = TCL ..\scripts\showfile.itcl
#

## Aliases
alldn = @stats alldn
allup = @stats allup
daydn = @stats daydn
dayup = @stats dayup
monthdn = @stats monthdn
monthup = @stats monthup
wkdn = @stats wkdn
wkup = @stats wkup
rehash = @config rehash
free = @freespace

# ioGUI
ioGuiExt = TCL ..\scripts\ioGuiExt.itcl
#ioGuiExt = EXEC ..\scripts\ioGuiExt.exe



################################################## #############################
############################# FTP PERMISSIONS #############################
################################################## #############################
#
# Permissions take the form throughout
# <rights>: * -> everyone
# - -> specific user
# = -> specific group
# ! -> don't allow whatever immediately follows
# 0-9,A-Z -> Matches users who have the associated user flag
#
# The builtin user flags are:
# 'M' - MASTER
# 'V' - VFS ADMINISTRATOR
# '1' - SITEOP
# 'G' - GROUP ADMIN RIGHTS
# 'F' - FXP DENIED (DOWNLOAD)
# 'f' - FXP DENIED (UPLOAD)
# 'L' - SKIP USER LIMIT PER SERVICE
# 'A' - ANONYMOUS
#
# Conventions for other user flags:
# '3' - Regular users (the default for ioGUI created users)


[FTP_Command_Permissions]
# Control access to builtin (non "site") commands.
;noop = !Z *


[FTP_SITE_Permissions]
# Control access to "site" commands.

addip = G1M
adduser = G1M
bans = 1M
chattr = VM
chgrp = 1M
chmod = GV1M
chown = VM
close = 1M
color = !A *
config = M
crashnow = M
delip = G1M
deluser = G1M
devices = M
dircache = 1VM
findip = 1M
freespace = !A *
gadduser = G1M
ginfo = G1M
groups = G1M
grpadd = 1M
grpdel = 1M
grpren = 1M
grprevert = 1M
help = *
ioverify = M
ioversion = 1M
kick = G1M
kill = 1M
knock = !A *
loadsymbols = M
makecert = M
myinfo = !A *
open = 1M
passwd = !A *
perms = !A *
purge = G1M
readd = G1M
refresh = 3GV1M
removecert = M
renuser = 1M
sectionnum = !A *
services = M
shutdown = M
size = 3GV1M
stats = !A *
swho = 1M
symlink = 3GV1M
tagline = !A *
uinfo = G1M
uptime = !A *
users = G1M
who = !A *




# aliases
rehash = M
alldn = !A *
allup = !A *
daydn = !A *
dayup = !A *
monthdn = !A *
monthup = !A *
wkdn = !A *
wkup = !A *
free = !A *

# ioGUI
ioGuiExt = M



[Change_Permissions]
admingroup = 1M
credits = 1M
DnSpeed = 1M
Expires = G1M
flags = 1M
groupdescription = 1M
groupslots = 1M
groupvfsfile = M
homedir = G1M
LimitPerIp = 1M
logins = 1M
MaxDownloads = 1M
MaxUploads = 1M
Opaque = 1M
passwd = G1M
ratio = G1M
stats = M
speedlimit = 1M
tagline = G1M
UpSpeed = 1M
vfsfile = M



################################################## #############################
################################### FTP ###################################
################################################## #############################
# For idle settings I suggest either:
# Idle_TimeOut = 360
# Idle_Ignore = NOOP
#
# Or something along the lines of
# Idle_TimeOut = 600
# Idle_Ignore = NOOP CWD PWD LIST NLST STAT PASV
# In this case if the user hasn't actually done something besides wander
# around the filesystem looking at directories he/she is disconnected.

[Ftp]
# String to return for %[SITENAME] message cookie which is used to customize
# messages seen by the user for your site.
Site_Name = ioFTPD

Idle_TimeOut = 360 # no activity timeout -> auto logout
# These commands don't reset the idle counter
Idle_Ignore = NOOP
# permission flag to specify users who should be immune from the idle timer
Idle_Exempt = -ioFTPD
Login_Attempts = 3 # attempts before forced disconnect
Login_TimeOut = 15 # disconnect user who hasn't managed
# to login within this many seconds

# This is the default size (it grows if needed) for internal buffering.
# It probably should be a multiple and at least as large as the data
# socket send size. Since internal buffers are used for directory listings
# it should be larger than the space needed for the largest single directory
# listing to avoid growing it. 32k min.
Transfer_Buffer = 131072

# This is the size of the TCP send/receive socket buffers. Because TCP
# advertises these values as part of the TCP protocol they can affect
# performance. Slow and/or poor quality connection should use small
# buffer sizes since retransmition of dropped packets involves resending
# or receiving all the data over again from the first lost byte...
# High speed / high quality connections achieve better performance with
# larger values. The max is 64k. As an example FlashFXP uses 8k send
# and 32k recv. If you aren't maxing out your bandwidth on a try adjusting
# these upwards.
DataSocket_Send_Buffer = 32864
DataSocket_Recv_Buffer = 32864
# This is the size of the send/receive socket buffer for the command channel
# which usually never gets much bulk use. An exception would be clients who
# use "stat -l" to list directories. In that case for the send value use the
# datasocket send buffer size.
Socket_Send_Buffer = 4096
Socket_Recv_Buffer = 1024
DataSocket_Nagle = False

# Set this permission flag to enable the -R option to LIST. Users asking
# for a larger number of directories to be listed can be time consuming and
# resource intensive. For larger servers you may wish to enable this only
# for admins and/or a script to generate a listing every few hours and drop
# it into the root directory for people to download.
Allowed_Recursive = *

# in xferlog hide the hostname field of the transfer entry, (default=false)
;Hide_Xfer_Host = True

# Set this to True to prevent ioFTPD from computing the size of files in
# subdirectories whenever you CWD into a directory or LIST one.
;No_SubDir_Sizing = True

# Set this to false if you don't have an onUploadComplete event or the
# script/executable you are using ignores the computed value.
Compute_CRC = True

# Users matching this expression will be allowed to login to a "closed"
# server. Permission style format: [-user, =group, FLAG, !thing, ...]
# Defaults to "M" if undefined.
Close_Exempt = 1M

# Users matching this expression will be hidden from "site who". Users style
# format: [user, username*, =group, .FLAG, !thing, ...]
;Who_Hidden_Users = sitebot

# Paths matching these expressions will be replaced with <hidden> in "site
# who". Format is Who_Hide_Path_N = /path/*, etc. Limit of 20 paths.
;Who_Hidden_Paths_1 = /PRE/*

# Set this to True to display "Your IP/hostname is not authorized" instead
# of the generic "Invalid Password" error message if a user tries to login
# to an account but doesn't match any of the hostmasks.
;Show_HostMask_Error = True

# String to display via the %[ratio()] cookie when user's ratio is 0.
# Change requires restart to pick up new value, default is "Leech".
# NOTE: site uinfo/myinfo special cases the default (Leech) to display in
# an aligned column, or you can use up to 9 chars and it displays in
# it's own wider column. Greater than 9 and you'll need to modify the
# [UserInfo, MyInfo].Section files to format it properly.
;LeechName = Unlimited

# ioFTPD used to always resolve symbolic links when it came across them. This
# is faster, but doesn't work well with pure virtual directories and with
# 'sorted' style dirs. By default the server will now keep symbolic links
# in the user's current path, but will continue to also track the fully
# resolved path for permission checking, script use, etc. I think users will
# find this more intuitive. Note: change takes effect only for new logins.
# /sorted/dir1 -> /movies/dir1
# CWD /sorted/dir1
# Disabled: PWD => /movies/dir1, CDUP => /movies
# Enabled : PWD => /sorted/dir1, CDUP => /sorted
#
# NOTE: The shared memory CLIENT structure which is essentially unchanged
# since v5 continues to use the fully resolved path. This may cause
# some issues when used by some EXEC scripts that process user input
# that contain relative links if this option is enabled.
Keep_Links_In_Paths = True

# Enable the ADD, DELETE, INSERT, REPLACE, and SAVE options of the
# 'site config' command.
Enable_Config_Commands = False

# Enable the placement of additional information into the ONLINEDATA shared
# memory structure that doesn't affect the alignment of any existing fields.
# If 3rd party shared memory EXEC scripts or dlls incorrectly display the
# transfer status then disable this option and see if that fixes the problem.
OnlineData_Extra_Fields = True

# The MDTM command can be used to modify the timestamp of files and the access
# checks 'TimeStamp' and 'TimeStampOwn' cover the usual cases, however you
# may wish to allow users to modify the timestamp of the last file uploaded
# even if those checks fail. The main reason this is useful is when
# zipscripts remove +w access from an uploaded file that was verified and/or
# modify the owner of the file. In both those cases the normal checks would
# fail. It's also somewhat useful if the zipscript doesn't modify anything
# but you don't wish the user to change the timestamp later on, but don't mind
# them doing it right after upload. There isn't any other way to express
# that. The default is FALSE which disallows the exception.
;Enable_TimeStamp_On_Last_Upload = TRUE


# Number of seconds between network events (send or receive of bytes) before
# a data channel transfer should be timed out. Default is 2 minutes.
Data_Timeout = 120

# You can modify the behavior of the 'site chmod' command. Master accounts
# can do anything under any setting so are not mentioned.
# Default : Require +w to parent of item being modified, and non-VFS admins
# must own the item being modifed.
# WriteOnly: Require +w to parent of item being modified (no owner check).
# NoChecks : Can modify anything provided you can see it.
# The 'Default' setting is the original behavior and the default.
Chmod_Check = WriteOnly

# These definitions are run through the message cookie parser and used in
# the header or footer of site/help commands that contain a bounding box
# around the output (like 'site who'). Size must be under 40 chars.
Site_Box_Header = %[SAVE]%[THEME(BOX)]%[T(1)][ %[SITENAME] - %[SITECMD] ]%[RESTORE]
Site_Box_Footer = %[SAVE]%[THEME(BOX)]%[T(1)][ %[SITENAME] - %[SITECMD] ]%[RESTORE]

Help_Box_Header = %[SAVE]%[THEME(BOX)]%[T(1)][ %[SITENAME] Help ]%[RESTORE]
Help_Box_Footer = %[SAVE]%[THEME(BOX)]%[T(1)][ %[SITENAME] Help ]%[RESTORE]



################################################## #############################
################################## HELP ###################################
################################################## #############################
#
# List of .ini formatted help files to use when looking up site commands.
# The first argument is a list of FLAGS (no user or group specifications!) or
# "*" for everyone, that the user asking for help must match for that file to
# be searched through. 3rd party addon scripts designed for use only by
# SiteOps or other priviledged users may find this an easy way to prevent the
# server from searching/display info in the help file.
# The second argument is the name/path to the file and are relative to the
# current working directory of ioFTPD.
#
# When information about a specific command (or general topic) is requested
# the following steps are performed:
# 1) Verify permissions for the command, if permissions were found and the
# user is not authorized then reject the request. Topics will not have
# permission information and will thus not be rejected.
# 2) Lookup command/topic by name going through each file listed here in
# order that the user has permission to search. If a match is found then
# process it and return.
# 3) If lookup failed, check to see if command is an alias, if so then
# print a little "alias -> cmd [args]" line pointing the user in the
# right direction for getting help on it.
# 4) Lookup "NOT_FOUND" by name going through each file listed here in order
# and that the user has permission to search. If a match is found then
# process it and return.
#
# The text extracted from the .ini file is passed through the normal message
# cookie processor so color/themes are available for formatting the output
# and dynamic information about server configuration or user settings may be
# examined or displayed.
#
# For complete details see doc/Helpfiles.txt.

[Help]
* = Help-SiteCmds.ini
;* = Help-nxTools.ini
;* = Help-ioNiNJA.ini



################################################## #############################
################################ LOCATIONS ################################
################################################## #############################
#
# locations are relative to the current working directory of ioFTPD.
# these relative paths presume that ioFTPD has been launched from the
# system\ directory in the ioFTPD folder.
#

[Locations]
User_Id_Table = ..\etc\UserIdTable
Group_Id_Table = ..\etc\GroupIdTable
Hosts_Rules = ..\etc\Hosts.Rules

User_Files = ..\users
Group_Files = ..\groups
Log_Files = ..\logs

Default_Vfs = ..\etc\default.vfs
Environment = ..\etc\ioftpd.env

# Path to directory to create CRASH-Log.txt, MINIDUMP* and TINYDUMP* files.
# If this is not defined, doesn't point to a valid directory, or a crash
# occurs during initial startup then the directory where ioFTPD.exe is
# located is used.
;Crash_Dir = ..\logs

# If True then only generate the CRASH-Log.txt file and the TINYDUMP* file.
# TinyDump's are several hundred K, whereas MiniDumps are several MBs if
# using dbghelp.dll v6.2+ (or tens of MB if using the default XP dll).
;TinyDump_Only = True

# When writing stack backtrace information to CRASH-Log.txt it's nice to
# see correct function names instead of just addresses. Tiny/Minidumps
# can always retrieve the correct information.
#
# With no help the stack trace for the original thread in ioFTPD looks like:
# ID: 3708 [00130000-0012fe94]
# # 1: 7C90EB94 -> [ntdll + DB94] ? KiFastSystemCallRet() + 0x0
# # 2: 00416B50 -> [ioFTPD + 15B50]
# # 3: 00443219 -> [ioFTPD + 42219]
# # 4: 7C816FD7 -> [kernel32 + 15FD7] ? RegisterWaitForInputIdle() + 0x49
#
# If the ioFTPD.pdb, tcl84t.pdb, etc files are in the directory where
# ioFTPD.exe is run from then function names and line numbers can be
# displayed for those files. Resulting in:
#
# ID: 1212 [00130000-0012fe94]
# # 1: 7C90EB94 -> [ntdll + DB94] ? KiFastSystemCallRet() + 0x0
# # 2: 00416B50 -> [ioFTPD + 15B50] ProcessMessages() + 0x40
# [c:\projects\ioftpd6\6.3.0\src\internalmessagehandl er.c, line 106]
# # 3: 0041A2E0 -> [ioFTPD + 192E0] CommonMain() + 0x30
# [c:\projects\ioftpd6\6.3.0\src\main.c, line 250]
# # 4: 0041A723 -> [ioFTPD + 19723] WinMain() + 0x273
# [c:\projects\ioftpd6\6.3.0\src\main.c, line 390]
# # 5: 00443219 -> [ioFTPD + 42219] __tmainCRTStartup() + 0x177
# [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c, line 324]
# # 6: 7C816FD7 -> [kernel32 + 15FD7] ? RegisterWaitForInputIdle() + 0x49
#
# The ? indicates dll's that do not have loaded debugging info and thus the
# name printed is the first previous exported symbol which is often correct
# for the entry point into a library but usually wrong after that.
#
# With system symbol searching enabled the same stack looks like:
# ID: 364 [00130000-0012fe94]
# # 1: 7C90EB94 -> [ntdll + DB94] _KiFastSystemCallRet@0() + 0x0
# # 2: 7E4191BE -> [USER32 + 81BE] _NtUserGetMessage@16() + 0xC
# # 3: 00416B50 -> [ioFTPD + 15B50] ProcessMessages() + 0x40
# [c:\projects\ioftpd6\6.3.0\src\internalmessagehandl er.c, line 106]
# # 4: 0041A2E0 -> [ioFTPD + 192E0] CommonMain() + 0x30
# [c:\projects\ioftpd6\6.3.0\src\main.c, line 250]
# # 5: 0041A723 -> [ioFTPD + 19723] WinMain() + 0x273
# [c:\projects\ioftpd6\6.3.0\src\main.c, line 390]
# # 6: 00443219 -> [ioFTPD + 42219] __tmainCRTStartup() + 0x177
# [f:\sp\vctools\crt_bld\self_x86\crt\src\crt0.c, line 324]
# # 7: 7C816FD7 -> [kernel32 + 15FD7] _BaseProcessStart@4() + 0x23
#
# Notice that even the number of stack frames is incorrect without access
# to the .pdb file for optimized code.
#
# The best way to solve this is to allow ioFTPD access to system .pdb files
# through a symbol store. Basically you just define a local cache directory
# and then enable the downloading of missing .pdb files from MS itself which
# makes them available for just this purpose.
# This is usually done through the environmental variable _NT_SYMBOL_PATH.
# I don't like this for two reasons. The first is ioFTPD might be running as
# a service which makes specifying this tricky, and the second is there is
# really no reason to lookup for a symbol file that doesn't exist more than
# once (i.e. most 3rd party .dll's loaded such as php4ts.dll).
#
# The command "site LoadSymbols" will CRASH ioFTPD much like "site crashnow"
# does except it will force the resolving of all modules and display
# additional information such as the path to the debugging files found.
# I suggest you set Symbol_Path to download symbols from MS, issue "site
# LoadSymbols", then reset Symbol_Path to just examine the local cache so it
# won't attempt connections again. Before it attempts to contact MS the
# first time you should get a popup-box asking for permission along with the
# relevant legal crap.
#
# Symbol_Path is specified exactly like _NT_SYMBOL_PATH. The ioFTP.exe
# directory is automatically prepended and this is used as the complete
# and final path to search.
#
# Examine just our locally cached symbols
;Symbol_Path = c:\MySymbols
# Download debugging information from MS and store it locally
;Symbol_Path = srv*c:\MySymbols*http://msdl.microsoft.com/download/symbols



################################################## #############################
################################# THREADS #################################
################################################## #############################

# This section heavily based on a post by darkone.
#
# Here's a brief explanation, that explains what threads do, but doesn't
# explain their relationship with other threads, such as timer or socket
# scheduler.
#
# I/O threads are used exclusively for I/O activity so everything besides
# I/O related actions are handled in other threads. Since I/O threads are
# set to run at a higher priority than other threads in the process this
# ensures that performance is not limited by non-I/O related activity.
#
# Encryption threads are used exclusively for encryption, decryption and
# integrity checking (crc calculations). Data is dispatched from I/O threads
# to encryption threads, in a continous stream. Which means, there's lots of
# interactions betweens these two types of threads.
#
# Worker threads handle almost everything else. Timer jobs (timer is managed
# in another thread), client input parsing (yes, I/O threads do not parse
# input themselves), client command responses, scripts, etc... This pool is
# the only pool that has dynamic size, and dynamic priorities (pool might
# temporarily grow beyond the specified limit, to ensure that jobs are
# scheduled in-time). The size of this pool is something you should
# increment, if your site relies heavily on scripts.
#
# Suggested value for I/O threads, is 2x number of logical cpus.
# Suggested value for worker threads on site that runs lots of scripts,
# is ~half of max users online.
# Suggested value for encryption threads, is number of logical cpus.
#
# Optimal settings vary per system configuration (logical cpus) and use of
# daemon (large anonymous server, private server, private encrypted server).

[Threads]
# Process base priority: Idle/Normal/High/Realtime (Normal is default)
Process_Priority = NORMAL
Io_Threads = 2 # Number of io threads (2)
Worker_Threads = 5 # Number of worker threads. (5)
Encryption_Threads = 2 # Number of encryption threads (1)

# the window name, used by third party scripts and services to communicate
# with ioFTPD. the default is fine unless you are running two copies of
# ioFTPD.
WindowName = ioFTPD::MessageWindow

# FTP clients often impose a timeout (usually 2 minutes or so) on receiving
# a response from the server to an issued command. Some events take a long
# to complete and fail to provide some sort of output every minute or so.
# As a workaround you can now have the server output a single line to keep
# the client happy if nothing has been sent to the user within the last 90
# seconds. If not defined then this feature is disabled. The default text
# output is the default prefix for the event, but if not defined or is
# empty this text will be used.
Keep_Alive_Text = 200-

# Create TCL interpreters ahead of time instead of on demand.
Create_Tcl_Interpreters = TRUE

# Log creation/deletion and force finalization for interpretters. Requires
# Create_Tcl_Interpreters be enabled to force deletion/finalization after a
# rehash, BUT actually disables the creation ahead of time feature.
Debug_Tcl_Interpreters = FALSE

# Track thread deletions
Log_Exiting_Worker_Threads = TRUE

# When this feature is enabled the server spawns a companion process
# 'ioFTPD-Watch.exe'. If the server detects that the DLL loader lock has
# gotten stuck and it is therefore unable to exit it will signal the watcher
# to forcefully terminate the server. The watcher may also kill the server
# if it fails to signal it's alive at least once every minute. This feature
# also makes the server attempt to connect to all active services every
# minute and if that fails 3 times in a row it will try to exit gracefully.
# If it can't exit the ioFTPD-Watch process will time it out and terminate it.
# NOTE: ioFTPD-Watch.exe output goes to the [$Log_Files]\Watch.log file.
;Restart_On_Deadlock = TRUE



################################################## #############################
################################# FILE ##################################
################################################## #############################

# Directory caching involves hashing the full directory name to get the bucket
# to search and then binary searching an ordered array. Previously the number
# of buckets was fixed at 8 and the default was 1000 entries per bucket. I
# prefer more memory use but faster performance so have made the number of
# buckets an option...

[File]
MessageCache_Size = 500 # Number of .message files to cache
# (min 75, default 100)
DirectoryCache_Buckets = 100 # Number of buckets to use (min 5)
DirectoryCache_Size = 1000 # Number of directories per bucket
# (min 100)
Device_Concurrency = 5 # Maximum simultanous io operations
# per device (min 1, default 5)



################################################## #############################
################################# MODULE ##################################
################################################## #############################
# modules are used to control internal behaviour of ioFTPD.
# this interface is poorly documented at the moment and probably broken.
[Modules]
;MessageVariableModule = ..\modules\cookie.dll
;UserModule = ..\modules\networkuser.dll
;GroupModule = ..\modules\networkgroup.dll
;EventModule = ..\modules\eventmodule.dll



################################################## #############################
################################ SCHEDULER ################################
################################################## #############################
# Scheduler
#
# Event = <minutes> <hours> <day of month> <day of week> Command
# 0-59 0-23 1-31 0(Sunday)-6
#
# The specification is very similiar to syntax of the unix crontab file and
# thus permits you to specify * to match anything and to specify multiple
# values separated by commas.
#
# The only tricky thing is the hours field which needs to be specified in
# UTC (GMT without daylight savings) and thus specifying events to run
# at midnight depends on where you are running the server. For example
# if you are located in the CET timezone, to run an event at midnight local
# time you would use
# event-name = 0 22 * *
# because the difference is -2 hours.
#
#
# Internal Commands:
#
# &Reset : Resets upload/download counters
# &ConfigUpdate : Reloads devices and Restarts services, if bind ip
# of service has changed
#

[Scheduler]
# every day at midnight UTC reset up/down counters
Reset = 0 0 * * &Reset
# every 10 minutes restart services to check for IP updates
ConfigUpdate = 0,10,20,30,40,50 * * * &ConfigUpdate


[Reset]
WeeklyReset = Sunday
MonthlyReset = 1st



################################################## #############################
################################# EVENTS ##################################
################################################## #############################

# Event = !file # Show file
# Event = EXEC file.exe [<args>] # run file.exe with optional args
# Event = TCL script.itcl [<args>] # run script.itcl with optional args
# Event = %EXEC/TCL ... [<args>] # translate cookies found in args

[Events]
# NOTE: You can list more than one event and all will be called, see
# the file doc\Events.txt for a list of all events and the arguments
# they are called with.
OnClosedKick = !..\text\ftp\ServerClosing
OnClosedLogin = !..\text\ftp\ServerClosed
OnDeletedKick = !..\text\ftp\DeletedKick
OnExpiredKick = !..\text\ftp\ExpiredKick



[FTP_Pre-Command_Events]
# Pre commands are run before the actual FTP command of the same name is
# executed. You can have more than 1 event run per command but ALL must
# succeed in order for the real FTP command to be run.
;list =
;stor =
;mkd =
# etc...

[FTP_Post-Command_Events]
# These are called after the real command successfully completed.

Yil
04-16-2011, 07:15 AM
The reason FXP will work fine is because it's probably using your server in active (PORT) mode so the server is making outgoing FTP connections instead of listening for incoming...

Why don't you test your router's forwarding to see if that's the problem. You can try a number of things, pick one of the forwarded ports and setup uTorrent on that and in it's menu try the test port option or whatever it has. Same thing is possible with FTP clients, setup port range on forwarded ports and try to use active (PORT) mode connections from a remote FTP server to see if that works for directory listings using list -al. If things like that work then you probably have the ports forwarded OK.

Another HUGE issue you might have is with a firewall. Are you running a software firewall (including window's builtin one?). If you are make sure you allow incoming connections. A lot of firewalls allow outgoing by default but you need to explicitly allow incoming so that might be the problem as well.

kathorga
04-17-2011, 09:55 AM
Ok guys, problem solved. Ports wasnt opened correctly. Thanks for help.