I ran a FTP-Server (vsftp) with a local firewall (iptables) on it.
Now every client who wants to connect has to enable passive before being able to get files.
The Internet Connection is a E1 Line (static ip's).

Is there a way to change this ?

Handshaking and data ports for ftp:

Active ftp:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)

Passive ftp:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)

Don't know what your firewall blocks, but could it be that not all ports needed for active ftp are 'open' (port 20)?

This might also help:
http://www.chinalinuxpub.com/doc/www...ftp-server.htm

ok, I tryed to open port 20, but still no luck, can it be that vsftp does not support active ftp ?

vsftp does support active ftp. Take a look at the manpage and options, especially the connect_from_port_20 option.

You do not tell if the clients are behind a firewall of their own. Could be that those (that??) firewall is blocking the connection.

If your questions is about disabling PASV mode, you can edit vsftpd.conf and

PASV_enable=no.

for better understanding:

A stand alown server (statik IP) firewall of it's own, (IPTables), OS: Debian, FTP-Server VSFTP

now the problem: all the clients have to write passive before beeing able to run commands like ls on the server out of a shell ftp-client

I do not like this, because some stupid custumers of us don't get it

[mp 1] >ftp atecom.org
Connected to atecom.org.
220 Welcome to ATECOM FTP service.
Name (atecom.org:xxxxxx): xxxxxx
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 Illegal PORT command.
ftp: bind: Address already in use
ftp> passive
Passive mode on.
ftp> ls
227 Entering Passive Mode (212,117,69,18,63,101)
150 Here comes the directory listing.
-rw------- 1 1004 8 0 May 19 08:58 Trash
drwx------ 3 1004 8 4096 Jun 04 10:55 mail
drwxr-xr-x 2 1004 100 4096 May 19 08:58 public_html
-rwxr-xr-x 1 0 0 33296 Jun 04 09:47 test
226 Directory send OK.


[mp 2] >nmap atecom.org -p 20

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-07-05 13:22 CEST
Interesting ports on postman.atecom.com (212.117.69.18):
PORT STATE SERVICE
20/tcp closed ftp-data



I would like to have a soloution that would do this automaticly.

You might want to try to set the following option:

port_promiscuous to yes (default is NO).

This will disable the port security check.

at least something has changed

331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.

you can switch off PASV mode by setting the parameter below in your vsftpd.conf

PASV_enable=no

Yes, I tryed that too, but the point is that active is not working at all.

so turning passive of leaves me with the same problem

This turns out to be a nice problem......

Took another look at the output you posted (#6) and the following cannot be correct:

ftp: bind: Address already in use

Setting the port_promiscuous option to yes seems to get rid of this, to be replaced by:

425 Failed to establish connection

I wonder if vsftpd is the cause of this.

- Do you have the same problem when you set up a ftp session from the same box (client=server)?
- Can you test from a local network (no internet in between). You mentioned the box being stand-alone, so this might not be possible to test.
- What happens if you shut down the firewall, problem still there?

If you have the time and space, you might want to use ehtereal (or alike [tcpdump]) to check what's happening.

Hope this gets you going again.

Thanks for helping me.

This is my config
# vsftpd.conf
anonymous_enable=NO
local_enable=YES
write_enable=YES
ocal_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_file=/var/log/vsftpd.log
idle_session_timeout=600
nopriv_user=ftp
ftpd_banner=Welcome to ATECOM FTP service.
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
port_promiscuous=yes


trying with port_promiseuous=yes and firewall up or down results in the same:
[mp 2] >ftp atecom.org
Connected to atecom.org.
220 Welcome to ATECOM FTP service.
Name (atecom.org:XXXXX): XXXXX
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
425 Failed to establish connection.


From Localhost: it works
root@postman:~# ftp localhost
Connected to postman.
220 Welcome to ATECOM FTP service.
Name (localhost:root): XXXXXX
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw------- 1 1004 8 0 May 19 08:58 Trash
drwx------ 3 1004 8 4096 Jun 04 10:55 mail
drwxr-xr-x 2 1004 100 4096 May 19 08:58 public_html
-rwxr-xr-x 1 0 0 33296 Jun 04 09:47 test
226 Directory send OK.

I thought it would be firewall related, guess I'm wrong.

Only 2 more things I can come up with (1 being 'old'):
- Anything weird in the logfiles. Especially /var/log/vsftpd.log or related, but take a look at the general logs as well.
- Use ethereal to check connections (this one I already mentioned).

One of the things that keeps comming to my mind is the ip address that vsftpd returns during data connects. Could be that vsftpd is giving your local machine's IP (192.168.x.y or 10.0.x.y). Only way to find this out (which IP is being send) is to look at the logfiles or use ethereal.

One more firewall related option: Is portforwarding activated?

can you try connecting from a remote host after turning iptables off.

Perhaps iptables is configured not to accept non-passive ftp. you can check this using tcpdump.

e.g.

on the ftp server

tcpdump host <remotehost>

guess what, It just came to my mind, that i'm behind my own firewall


trying it from a host with static ip, and it worked.

I would have to forward port 20 throw my own firewall. Sorry for me, beeing so stupid