Re: VSFTP in passive mode

On Thu, 09 Feb 2006 13:41:04 -0600, Sam Watson wrote:

For some reason I can not get VSFTPD to work in passive mode. I am
running Fedora C4. When I FTP into the site I get connected but when I
type "ls" for a directory I get

"Entering Passive Mode (xx,xx,xx,xxx,xx,xx)
ftp: connect: No route to host"

If I exit passive mode by entering "pass" the directory comes across. I
do not have a "pasv_enable=no" in the vsftpd.conf file so it should be
on by default. I have also discovered that if I turn off the firewall
(iptables) FTP works in passive mode ....

Sorry for the massive bump of this post. Probably way off here, but have
you set up a passive port range ? I'm thinking this might be the problem
when you said about turning off the firewall.

You've probably sorted it now, but the simplest way I can try and help
if you haven't is to show you the pertinent sections of my vsftpd.conf :

pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=YES
#enable for standalone mode
listen=YES
tcp_wrappers=YES
pasv_address=82.29.34.23
pasv_promiscuous=YES
pasv_enable=YES
hide_ids=YES
pasv_min_port=xxxxx
pasv_max_port=xxxxx
chroot_local_user=YES
max_clients=x
no_anon_password=YES

The way I understand it, running passive mode puts the 'security burden'
on the server, ie. it has to open up ports. In active mode, the 'security
burden' is on the client, with them having to accept incoming connections
originating from port 20 of the FTP server they're connecting to.
(Corrections most welcome).

(All FTP connections are TCP. None are UDP AFAIK.)

For my vsftpd.conf, I've had to input the appropriate rules in my IPTables
firewall too.

/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p tcp --dport xxxxx:xxxxx -j ACCEPT

Where 'xxxxx:xxxxx' is the lowest port number:highest port number in the
range you want to specify, for the passive FTP ports.

HTH and sorry if it didn't.

Regards,

News.

P.S. Can you connect to mine ?




.

Relevant Pages

  • RE: FTP Window of opportunity?
    ... does it seemingly accept the connections and drop them once the response ... Subject: FTP Window of opportunity? ... blocked by the firewall. ... the FTP port shows up. ...
    (Pen-Test)
  • Re: Iptables FTP question
    ... The -m helper "ftp" which was suggested by Cedric will propably do what I ... > source port of 20 if it is for port mode data connections(for a standard ... > it were for passive mode data connections. ... > rules directly to the forward chains. ...
    (comp.security.firewalls)
  • Re: Passive means what during FTP?
    ... :227 Entering Passive Mode ... :ftp: connect: No route to host ... The FTP data transfer uses a connection that is separate from the ... address and port number to connect to for the data transfer. ...
    (comp.os.linux.setup)
  • Re: vsftp unable to access
    ... I have tried opening up port 20 and 21 on my router and still no luck. ... from the remote site can you do an nmap to make sure the port is ... # loosens things up a bit, to make the ftp daemon more usable. ... # Make sure PORT transfer connections originate from port 20. ...
    (Ubuntu)
  • Re: vsftpd working but not with Internet Explorer
    ... My guess is that IE is using passive mode by default. ... In passive mode Firewalls in front of the ftp server (or on the ftp ... In passive mode the server actually finds a free port (by default from ...
    (alt.os.linux)