Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I ran a FTP-Server (vsftp) with a local firewall (iptables) on it.
Now every client who wants to connect has to enable passive before being able to get files.
The Internet Connection is a E1 Line (static ip's).
Is there a way to change this ?
Last edited by Voyager_MP; 07-02-2004 at 10:44 AM.
FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)
Passive ftp:
FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)
Don't know what your firewall blocks, but could it be that not all ports needed for active ftp are 'open' (port 20)?
A stand alown server (statik IP) firewall of it's own, (IPTables), OS: Debian, FTP-Server VSFTP
now the problem: all the clients have to write passive before beeing able to run commands like ls on the server out of a shell ftp-client
I do not like this, because some stupid custumers of us don't get it
[mp 1] >ftp atecom.org
Connected to atecom.org.
220 Welcome to ATECOM FTP service.
Name (atecom.org:xxxxxx): xxxxxx
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 Illegal PORT command.
ftp: bind: Address already in use
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (212,117,69,18,63,101)
150 Here comes the directory listing.
-rw------- 1 1004 8 0 May 19 08:58 Trash
drwx------ 3 1004 8 4096 Jun 04 10:55 mail
drwxr-xr-x 2 1004 100 4096 May 19 08:58 public_html
-rwxr-xr-x 1 0 0 33296 Jun 04 09:47 test
226 Directory send OK.
[mp 2] >nmap atecom.org -p 20
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-05 13:22 CEST
Interesting ports on postman.atecom.com (212.117.69.18):
PORT STATE SERVICE
20/tcp closed ftp-data
I would like to have a soloution that would do this automaticly.
Last edited by Voyager_MP; 07-05-2004 at 07:23 AM.
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.
Took another look at the output you posted (#6) and the following cannot be correct:
ftp: bind: Address already in use
Setting the port_promiscuous option to yes seems to get rid of this, to be replaced by:
425 Failed to establish connection
I wonder if vsftpd is the cause of this.
- Do you have the same problem when you set up a ftp session from the same box (client=server)?
- Can you test from a local network (no internet in between). You mentioned the box being stand-alone, so this might not be possible to test.
- What happens if you shut down the firewall, problem still there?
If you have the time and space, you might want to use ehtereal (or alike [tcpdump]) to check what's happening.
This is my config
# vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
ocal_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
idle_session_timeout=600
nopriv_user=ftp
ftpd_banner=Welcome to ATECOM FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
port_promiscuous=yes
trying with port_promiseuous=yes and firewall up or down results in the same:
[mp 2] >ftp atecom.org
Connected to atecom.org.
220 Welcome to ATECOM FTP service.
Name (atecom.org:XXXXX): XXXXX
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.
From Localhost: it works
root@postman:~# ftp localhost
Connected to postman.
220 Welcome to ATECOM FTP service.
Name (localhost:root): XXXXXX
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw------- 1 1004 8 0 May 19 08:58 Trash
drwx------ 3 1004 8 4096 Jun 04 10:55 mail
drwxr-xr-x 2 1004 100 4096 May 19 08:58 public_html
-rwxr-xr-x 1 0 0 33296 Jun 04 09:47 test
226 Directory send OK.
I thought it would be firewall related, guess I'm wrong.
Only 2 more things I can come up with (1 being 'old'):
- Anything weird in the logfiles. Especially /var/log/vsftpd.log or related, but take a look at the general logs as well.
- Use ethereal to check connections (this one I already mentioned).
One of the things that keeps comming to my mind is the ip address that vsftpd returns during data connects. Could be that vsftpd is giving your local machine's IP (192.168.x.y or 10.0.x.y). Only way to find this out (which IP is being send) is to look at the logfiles or use ethereal.
One more firewall related option: Is portforwarding activated?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
