vsftpd: Cannot list files, but can change dirs
 

I am serving an FTP site from my Ubuntu 5.1 computer and am having troubles logging on from outside my network. Actually, logging on is no problem, but listing the files and downloading is the problem (although I can still change directories). Between computers inside the network works perfectly.

Here's a typical scenario using FileZilla under WindowsXP from outside the network:
USER blah
PASS blah
230 Login successful
PWD
257 "/home/blah"
PASV
227 Entering Passive Mode (192,168,2,2,42,46)
LIST
Transfer channel can't be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Could not retrieve directory listing

Another scenario using 'ftp' under Linux from outside the network:
[becker@esus ~]$ ftp adambecker.homelinux.com 2102
Connected to adambecker.homelinux.com.
220 You have successfully entered Adam's FTP site.
530 Please login with USER and PASS.
Name (adambecker.homelinux.com:becker):
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,2,2,237,138)
ftp: connect: Network is unreachable
ftp> cd mydocs ### <-- I can 'cd' fine
250 Directory successfully changed.
ftp> ls ### <-- But 'ls' fails
227 Entering Passive Mode (192,168,2,2,74,122)
ftp: connect: Network is unreachable
ftp> get test.txt
local: test.txt remote: test.txt
227 Entering Passive Mode (192,168,2,2,235,86)
ftp: connect: Network is unreachable
ftp>


I am using iptables which blocks all unused ports. Should I be opening one up besides port 2102 (my FTP port)? Is this a network problem or a vsftpd problem? Thanks for any suggestions!

--Beebop


###### Here's my /etc/vsftpd.conf ######

listen_port=2102
ftpd_banner=You have successfully entered Adam's FTP site. Upload some pictures. Show me what you look like :)

# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

#make sure the 'auth required pam_shells.so' line is commented out in /etc/pam.d/vsftpd
pam_service_name=vsftpd

#default userlist_enable is NO, but I don't want to let anyone in EXCEPT those in the list
userlist_enable=YES

#Used when userlist is enabled.
#When userlist_deny is NO, all users are denied except those in userlist_file
userlist_deny=NO
userlist_file=/etc/vsftpd.user_list

#enable for standalone mode
listen=YES
tcp_wrappers=YES

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
#idle_session_timeout=600
#data_connection_timeout=120
chroot_local_user=YES

I would think you also need to open port 20, as you have this in your config - I have vsftp on my boxes and have never seen this problem, but we run on 21 with 20 open as well. I'm not certain, but have a hunch that is your problem.

Peace,
JimBass

Good point. I missed that one.

I opened up that port, but no changes. Maybe my ISP is blocking it?

So, I set CONNECT_FROM_PORT_20=NO in vsftpd.conf which should restrict some options but at least let me upload/download files. But after changing /etc/vsftpd.conf, stopping vsftpd, then starting vsftpd again, nothing changed.

I found this solution elsewhere on linuxquestions:

>In /etc/sysconfig/iptables-config try setting
>IPTABLES_MODULES="ip_nat_ftp ip_conntrack_ftp"
>and restart iptables.

Same problem as I had and it fixed his problem. He was using RH9 I think. Anyway, does anyone know where to find the equivalent in ubuntu-5.1? I tried to 'locate' iptables, but no config files were found. Just these:

/sbin/iptables-restore
/sbin/iptables
/sbin/iptables-save

some /usr/share files, and a bunch of .so files.

The FTP client in the above transaction is attempting to use passive. FTP communications use two "channels" -- a command channel (from the client to port 21 on the server) and a data channel. It is the latter we are concerned about. In "old fashioned" FTP, the server opened the data connection from its port 20 to some arbitrary high port on the client. This is what the from_port_20 setting governs. This is called "active" FTP. The problem is that most clients these days are behind NAT routers or have firewalls that prohibit the connection from the serrver from getting through.

So what to do? The solution is "passive" FTP. In this case, the client opens the second connection to the server for the data stream. But since port 21 is in use it must use another port. In general servers are set to use a range of ports so they can handle several clients. In vstftpd.conf the pasv_min_port and pasv_max_port settings set the lower and upper bounds of this range. So the ports in this range must be allowed through your firewall and if necessary redirected to the FTP server or else the data channel will never be opened.

So, this explains the behavior you see. Changing directories only uses the data channel. However, when you try to do an "ls", the results of the ls are actually sent back as data. In your case the data channel is never set up correctly, so you never see anything back from the ls, instead receiving an error. The solution is to configure a port range for passive FTP and make sure it is allowed through your firewall or use active FTP on the client side (will not work if the client is behind NAT or has a firewall preventing the data connection from the server from being established).

Still no go. I opened up a port range so that passive mode would work, and specified that range in vsftpd.conf (1073-1079). I don't expect many clients, which is why the range is so small...

If it helps, here are some more details on my configuration:

I have a home network, and the modem goes to a router which is the center of a 3 computer network. I use port forwarding to pass traffic to the correct computer (my server). So in the router settings, I have forwarded ports 2102 FTP, 20 FTP, 1073-1079 FTP, and 8002 WEB to my server's local address. I have also opened up iptables so I don't have to think about the firewall at the moment.

My vsftpd.conf file listens on port 2102 and successfully connects clients. To allow passive mode, I have set pasv_min_port=1023 and pasv_max_port=1079. connect_from_port_20=YES just in case we want to fool around with active mode.

Like I said above, I can successfully login remotely, change directorys, but 'ls' doesn't work and uploading/downloading doesn't work. However, if I log in from inside the 3-computer network everything works perfectly.

Thanks for your help,

Beebop

That's too small. A single FTP session might use up all of those ports. Open at least 100 ports.

20/tcp is OUTBOUND, not INBOUND. Port 20 is used for Active mode FTP for the server to open up a connection to the client on the client's port 20.

All connecting from port 20 would do is allow you to write a tighter firewall rule (allow outbound from source port 20 to destination port 20, instead of allow outbound from source port > 1023 to destination port 20).

btmiller already explained why that happens. Commands that don't generate output (other than FTP response codes) will work fine because they only use the command channel. Commands that do generate output (in addition to response codes) use the data channel for the output, but since you're using Passive mode FTP and do not have it configured correctly, the data channel isn't being opened and thus you fail to see the output from directory listing and fail to transfer files.

I would remove the "connect from 20" configuration setting. Also, make sure that the range of passive ports you configure on the server matches exactly what you're forwarding from the gateway and make sure that iptables is allowing it.

I just did some more testing. The LIST command works when I do it manually. Why won't ftp programs work?:


I used two terminals. In the first one I typed this:

>>[TERMINAL 1]
[myuser@esus ~]$ telnet myftp.domain.com 2102
Trying 206.100.120.33...
Connected to myftp.domain.com (206.100.120.33).
Escape character is '^]'.
220 You have successfully entered Beebop's FTP site.
user myusername
331 Please specify the password.
pass mypassword
230 Login successful.
type I
200 Switching to Binary mode.
pasv
227 Entering Passive Mode (192,168,2,2,4,36)
list


At this point, it waits for the passive connection, so I open the second terminal to receive the data. To know which port to connect to, take the last 2 numbers in the passive mode command above (...,4,36) and do this ((4*256)+36)=1060. So I know to connect to port 1060:

>>[TERMINAL 2]
[myuser@esus ~]$ ftp myftp.domain.com 1060
Connected to adambecker.homelinux.com.
drwxr-xr-x 2 500 500 4096 Dec 11 2005 Desktop
ftp>


Meanwhile, back in Terminal 1...

>>[TERMINAL 1]
150 Here comes the directory listing.
226 Directory send OK.
quit
221 Goodbye.
Connection closed by foreign host.
[myuser@esus ~]$


(By the way, ips and names have been changed to protect the innocent) ;)

There's your problem. Your FTP server is using it's internal IP address in the PASV command. You need to tell your FTP server what it's external IP is.

Cool, it works! I just added this line to my /etc/vsftpd.conf file:

pasv_address=xx.xxx.xxx.xx

where xx.xxx.xxx.xx is my visible IP address. I got this address by using the 'w3m 192.168.2.1' command (or 'lynx') to open a non-graphical web browser from my remote computer. 192.168.2.1 is my router (be aware that default is usually 192.168.0.1), so I could navigate through that to find the outside IP.

Thanks for everyone's help!


Just a note: My IP address sometimes changes once in a while (I can't afford a static IP). So every once in a while I find that the FTP client will not connect and I have to go in a edit the passv_address line in /etc/vsftpd.conf. It's doable, but annoying.