Whether you’re really passionate about RPC, MQTT, Matrix or Nostr, tell us more about the protocols or open standards you have strong opinions on!
Whether you’re really passionate about RPC, MQTT, Matrix or Nostr, tell us more about the protocols or open standards you have strong opinions on!
PART 2.
NAT, much like the city of Phoenix, is a monument to man’s arrogance. Fuck NAT, and fuck FTP. If your FTP server is listening directly on a public IP address, then none of this applies. If you’re anything like me, the last company I worked for (a small startup), or my current company (many many thousands of employees making software you know and may or may not hate, making many billions of dollars a year), then the majority of your servers are living in RFC1918 space. Traffic from the internet is making it to them via NAT (or NAT with extra steps, e.g. L4 load balancers). A request comes in for $PUBLIC_IP TCP port 21 or TCP port 44000-44010 and is forwarded to your failure of a boxen. Your FTP server is a big stupid idiot and doesn’t know this. It thinks that it’s king shit and has its own public IP address. Therefore, when it’s deciding what ADDR:PORT it’s going to tell your stupid FTP client to connect to, it just looks at one of the adapters on the box and says “oh, I’ll tell this client on the internet to connect to 10.0.54.187:44007” and then I fucking cry. Your FTP client is an idiot, but IP stack on your router is not and says “oh, that’s an address living in RFC1918 space, I shouldn’t send that out over the internet” and you don’t get the results of your LIST.
So, how do you fix this? Well, you fix it by not using FTP. Use SFTP USE SFTP USE SFTP FOR GOD’S SAKE. But since this world is a shit fucking place, you have two options. The best option is to configure your FTP server to lie about its IP address. Rather than being honest about what a fool it is, you can tell it to connect to your public IP address. Does your public IP address change? Fuck you, you get to write a daemon that checks for that shit, rewrites your FTP server config, and HUPs the bastard (or SIGTERMs it if your server sucks and can’t do a live config reload).
Let’s say that you don’t want to do that. Let’s say you work at a small company with a small business internet plan that gives you static IPs but a shitty modem. Let’s say that you don’t know what FTP is or how it works and your boss told you to get it set up ASAP and it’s not working and it surely must be your ISP’s fault. So you call up Comcast Business/AT&T/Verizon/Whoeverthefuck and you complain at their technicians for hours and hours, and eventually you get connected to a human that knows what the problem is and tells you how to configure your stupid FTP server to lie like a little sinner. The big telco megacorps don’t like that. They don’t want to waste all those hours, and they don’t want to hire too many people who can figure that shit out because it’s expensive. You wanna know what those fucking asshole companies did?
Continued in part 3.
PART 3.
They made their STUPID MODEMS FUCK WITH THE FTP PACKETS. I have personally experienced this with Comcast Business. The stupid piece of shit DOCSIS modem they provide intercepts the FTP packet from your server saying “oh, connect to this address: x.x.x.x:44010” and they rewrite the fucking address to the public IP. There is no way to turn this horse piss off. Now, for average business customers, this probably saved Comcast a bunch of money in support calls. However, if you’re using the so-called bridge mode on that degenerate piece of shit-wrapped-silicon (where rather than allowing the modem to give you a DHCP address, you just configure your system to have one of the addresses in the /29 space and the modem detects that and says oh okay don’t NAT traffic when it’s going to this address, just rewrite the MAC and shunt it over the right interface), then something funny happens. The modem still rewrites the contents of the packet, but it uses the wrong fucking IP address! Because the public IP that your server is running on is no longer available to the modem, the modem just chooses another fucking address. Then, the client tries to connect to 1.2.3.5 instead of 1.2.3.4, the modem says “hey I’m 1.2.3.5 and you can fuck off, I’m dropping your SYN for port 44010”, and I get an angry call from the client asking why they can’t download their files using this worthless protocol. I remember having a conversation like this:
Me: “Just use SFTP on port 22!”
Client: “No! FTP is faster/more secure/good enough for my grandfather good enough for me/corporate won’t allow port 22.”
Me: “Comcast is fucking me right now. What if we lied and served SFTP over port 21?”
we try it
Client: “It’s not working! I can’t even connect!”
I couldn’t connect either. I couldn’t connect to anything. Trying to do SFTP over port 21 caused the stupid fucking modem to CRASH.
Are you starting to see what the problem is? It’s like Microsoft preserving bugs in Windows APIs so that shitty software doesn’t break, and then they end up doing crazy gymnastics to accomodate old shit like the Windows 8 -> Windows 10 thing where they couldn’t use “Windows 9” because that would confuse software into thinking it was running “Windows 95” or “Windows 98”. FTP has some bugfuck crazy design decisions that we’ve collectively decided to just “work around,” and it leads to fucking gymnastics.
Speaking of bugfuck crazy design decisions, FTP’s default file transfer mode intentionally mangles data!
Continued in part 4.
PART 4.
You expect a file transfer program to reliably and faithfully transfer your files, byte-for-byte, from one system to another. FTP spits in your face and shits on your chest. You know how Linux uses LF (i.e.
\n
) for newlines and Windows uses CRLF (i.e.\r\n
) for newlines? Pretty annoying, right? Well, FTP’s ASCII mode will automatically rip off those\r
characters for you! Sounds pretty sweet, right? Fuck no it’s not. All of the sudden, your file checksums have changed. If you pass the same file back to a Windows user with a different and more sane file transfer system, then they get a broken file because FTP didn’t mind its own fucking business. If you have a CRLF file and need an LF file, just explicitly usedos2unix
. Wanna go the other way?unix2dos
. The tool has been around since 1989 and it’s great.Now, what if you’re not transferring text, but instead are transferring a picture of a cute cat? What if your binary data happens to have 0x0D0x0A somewhere in it? Well, ASCII mode will happily translate that to 0x0A and fucking ruin your adorable cat picture that you were going to share with your depressed significant other in an attempt to cheer them up. Now the ruined JPEG will remind them of the futility of their situation and they’ll slide even deeper into cold emptiness. Thanks, FTP.
You can tell your client to use binary mode and this problem goes away! In fact, modern clients do this automatically so your SO gets to see the adorable fuzzy cat picture. But let’s just stop and think about this. Why use a protocol that is dangerous by default? Why use a protocol that supports no form of security (unless you’re using fucking godawful FTPS or FTP over SSH)? Why use a protocol that is so broken by design that small business hardware has been designed to try to unfuck it? Is it faster? I mean, not really. SFTP has encryption/decryption overhead, but your CPU is so fast that you’d need to transfer at 25+ Gb/s to notice it. Is it easier? Fuck no it’s not easier, look at all of the stupid footguns I’ve just mentioned. Is it simpler? The line protocol is simple, but so is HTTP, and HTTP has a much simpler control flow path (merging the data and control planes is objectively the right thing to do in this context). And shit, you want a simple protocol for cases where you don’t have a lot of CPU power? Use fucking TFTP. It’s dogshit, but it was intentionally designed to be dogshit so that a fucking potato could receive data with it.
There is no task that is currently being done with FTP that couldn’t be done more easily, more securely, and more quickly with some other protocol (like fucking SSH and SFTP, which is now built into fucking Windows for god’s sake). Fuck FTP.
Have you considered publishing that as a book? (/s)
You are insane… in a good way. I love it. Fantastic read and I had to chuckle a few times.
I read the first two and kinda gave up my dude. Here’s my deal. I get that it’s bad under the hood. What else can I use that lets me and a friend pretend we just have folders in each other’s computers with just a port forward, IP, and a password?
That’s not even the type of setup you should use. Use a VPN of the type designed for games and IoT stuff, like ZeroTier, n2n, and more. Then you set up a local file share using something like Samba, only accessible by the people who can connect to your local network via the VPN.
The public facing VPN code will be MUCH more hardened against attack than your typical sharing tool with port forwarding.
I’m less worried about attack than barriers to sharing.
ZeroTier is pretty easy to set up, but at the point where you’re worrying about “barriers to sharing” you should probably using a cloud service anyway.
Ahhh but that’s the thing. A middleman being necessary is very against my values. I don’t want there being someone else or there limiting or telling me no. I’m not letting someone else’s DMCA compliance tell me what I can have. I’m also not really interested in non FLOSS.
You should be able to just use ssh/sftp. There are lots of great clients, and you can absolutely still use usernames and passwords, no public/private key stuff required. You can even use
ssh
andscp
right from powershell on Windows boxen if you’re so inclined. There’s winscp, and if you want filesystem mounting, there’s this: https://github.com/winfsp/sshfs-winFor macos and Linux, the options are far more plentiful.
Edit: there’s also file pizza, which is a file transfer thingy with no middle man that’s open source, although it’s not copyleft AFAICT: https://github.com/kern/filepizza
and similar tools. Not really what you’re after, I just think it’s neat.
If you set up port forwarding for file shares you must keep setting it up again for every new service.
If you set up a VPN once then you’re simply done. Every new service you set up is available directly.
No middleman pls.
ZeroTier can be a fully self hosted VPN. You set up a server locally, port forward only the VPN service, and then everything else you run is accessible through it for the people you give access to.