An IP Filter problem and a question

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Post Reply
Message
Author
djones
500 Command not understood
Posts: 3
Joined: 2007-10-22 06:31

An IP Filter problem and a question

#1 Post by djones » 2007-10-22 06:53

I've been using FileZilla server 0.9.23 beta for quite a while with no problems. Like many others have posted here, I too am blocking IP ranges from China, Spain, etc., due to stupid hackers attempting to get in via a non-existent 'Administrator' account.

In the process of modifying my configuration to block certain IP ranges, I discovered that IP filtering on the general settings page works just fine, as does filtering on the Groups page. However, IP filtering on the Users page DOES NOT work. This is true for both 0.9.23 and the newer 0.9.24, which I just installed a few minutes ago.

So, it would seem that FileZilla Server is not honoring the IP filters on the Users page at all. Which brings up my question: What is the difference (if any) between the IP filter lists in the three different locations, "General Settings," "Groups," and "Users?" If they are all supposed to have the same effect, why have three lists? And also, if they are supposed to have the same effect, why do the lists in Groups and General Settings work just fine, while the list in Users doesn't work at all?

Thanks,

- Dennis

User avatar
botg
Site Admin
Posts: 35507
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

#2 Post by botg » 2007-10-22 07:18

The IP filters for the users and groups prevent users/groups from logging on. I've just tried it again, works as expected here.

djones
500 Command not understood
Posts: 3
Joined: 2007-10-22 06:31

#3 Post by djones » 2007-10-22 17:49

Okay, then I don't understand what the "as expected" behavior is, and there doesn't seem to be a well-documented explanation anywhere that I can find.

So, let me ask again...how do the IP filter lists in users/groups differ from each other and from the IP filter list on the general settings page? All three of the lists seem to do exactly the same thing (that is, to simply block access from certain IP addresses), and as such, I do not understand why there are three lists. For what reason(s) would I prefer to use one list over another?

Perhaps if I understood why there are three lists, and how they differ from each other, I would then understand why am I able to log on via an address that is listed in the IP filter range on the Users page. I have a username listed in the "Users" list. I have an IP address in the IP filters list. Yet, that user can log on with no problem even if connecting from the address listed in the IP filter list. This is not the case if the address is given in the general settings page, or if it is given in the groups IP filter list. So, either there is a bug in the IP filter list for Users, or "as expected" means something different to you than it does to me.

I am able to block the unwanted access via the general settings page, but I am also eager to get an explanation for the behavior I am seeing.

Thanks,

- Dennis

username89
500 Command not understood
Posts: 1
Joined: 2007-10-22 23:32

#4 Post by username89 » 2007-10-22 23:37

User IP filter: blocks access to specified user from specified IPs
Group IP filter: blocks access to specified group from specified IPs
General settings filter: blocks access to filezilla server from specified IPs

djones
500 Command not understood
Posts: 3
Joined: 2007-10-22 06:31

#5 Post by djones » 2007-10-23 01:10

OH! Duh! *NOW* I see how it works! The IP filter list is User- and Group-specific. Thus, when I enter an IP address into the list, that address is tied to the currently selected user or group, and I have verified that it is indeed working "as expected". Thank you so much for the clarification. I knew there was something wrong with how I was interpreting the interface.

Okay, now this brings up another issue, because what threw me off was, from a user's perspective, hierarchical items are usually arranged so that the higher-order elements are displayed on the left-hand side of the window (at least in western languages where text is read from left-to-right). But in FileZilla, this is backwards -- the user list controls what you see, but the user list is on the right-hand side of the window (which is somewhat counter-intuitive).

I would suggest that this be changed. Since everything is subordinate to the selected user/group, the "Users" and "Groups" lists should be at the far left, with the "Page" list in the middle, and finally the selected page on the right. IMO, this would be more intuitive for users.

Thanks again,

- Dennis

Newton
500 Command not understood
Posts: 1
Joined: 2008-02-07 14:06
First name: Newton
Last name: James
Location: N. Illinois

Re: An IP Filter problem and a question

#6 Post by Newton » 2008-02-07 14:14

I love the server but for these documentation quirks.

When listing various IP addresses for the filter, what do I use as a separator for the multiple addresses? A space?

I.e. 59.120.154.223 89.97.247.142 60.250.127.184 204.15.150.34

Newton

User avatar
botg
Site Admin
Posts: 35507
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse

Re: An IP Filter problem and a question

#7 Post by botg » 2008-02-07 17:11

Space or newline.

Bib
500 Command not understood
Posts: 2
Joined: 2009-03-22 10:44

Re:

#8 Post by Bib » 2009-03-22 11:06

djones wrote:OH! Duh! *NOW* I see how it works! The IP filter list is User- and Group-specific. Thus, when I enter an IP address into the list, that address is tied to the currently selected user or group, and I have verified that it is indeed working "as expected". Thank you so much for the clarification. I knew there was something wrong with how I was interpreting the interface.

Okay, now this brings up another issue, because what threw me off was, from a user's perspective, hierarchical items are usually arranged so that the higher-order elements are displayed on the left-hand side of the window (at least in western languages where text is read from left-to-right). But in FileZilla, this is backwards -- the user list controls what you see, but the user list is on the right-hand side of the window (which is somewhat counter-intuitive).

I would suggest that this be changed. Since everything is subordinate to the selected user/group, the "Users" and "Groups" lists should be at the far left, with the "Page" list in the middle, and finally the selected page on the right. IMO, this would be more intuitive for users.

Thanks again,

- Dennis
100% agree with that cosmetic which would prevent that kind of questions. I think it would be more intuitive if the "User"/"Group" lists were left most placed with their Add/remove/rename/copy buttons, then at right the "Page:" options selector, then right most the settings themselves. This would be more similar as the "General Setteings" left to right hierarchical presentation.

Although, this doesn't help to find an answer to your question "Why should I prefer using IP rules from User/Group or General settings", because there is no explanation on which one have precedance over the other(s), which overrides which.
Did you found?
I'd like to forbid all connections once for all (the better place would be in "General settings") with 0.0.0.0/0.0.0.0 (is it the good syntax?) then allow access on a per User or Group basis. Should I leave the user/group forbid field blank and only enter the exceptions?
What means "Exclude the following IPs from the list of disallowed IPs, thus enbling access again" when the disallowed IPs list is empty?

THank for help or any "what to read" about that

Bib
500 Command not understood
Posts: 2
Joined: 2009-03-22 10:44

Re: An IP Filter problem and a question

#9 Post by Bib » 2009-03-22 12:38

I found that disallowing any IP connection ( * ) at General level seems to block any user level allowed IP. To grant back the ability to connect, I had to add the IP also at the general level which makes the user/roup level rules completly unusefull.
I can't beleive this is a bug because Filezilla exists for many years I think, so surely I misunderstand something in the so called "intended behaviour".

Post Reply