vsftpd passive connection issues

amb1545 · 01-29-2009, 04:14 PM

Hi,

I've got vsftpd running on a RHEL 5 server. I've been having issues with passive connections. Basically, passive connections work for directory listings, but when I go to actually transfer a file, it times out.

This is happening on my LAN, iptables is off.

Here is my vsftpd.conf:

Code:

anonymous_enable=NO
local_enable=YES
write_enable=YES
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
chroot_local_user=YES
guest_enable=YES
guest_username=ftpuser
listen=YES
listen_port=21
pasv_min_port=30000
pasv_max_port=30999
pam_service_name=vsftpd
virtual_use_local_privs=YES
local_root=/XXXX/ftp/$USER
user_sub_token=$USER
hide_ids=YES
ftpd_banner=XXXX FTP
pasv_promiscuous=YES

Here's the debug output from a ftp session:

Code:

andy-bohnes-macbook-pro-2:~ abohne$ ftp -d rfp@concord
Connected to concord.xrefer.lan.
220 XXXX FTP
ftp_login: user `rfp' pass `<null>' host `concord'
---> USER rfp
331 Please specify the password.
Password: 
---> PASS XXXX
230 Login successful.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
---> FEAT
211-Features:
 EPRT
 EPSV
 MDTM
 PASV
 REST STREAM
 SIZE
 TVFS
211 End
features[FEAT_FEAT] = 1
features[FEAT_MDTM] = 1
features[FEAT_MLST] = 0
features[FEAT_REST_STREAM] = 1
features[FEAT_SIZE] = 1
features[FEAT_TVFS] = 1
got localcwd as `/Users/abohne'
---> PWD
257 "/"
got remotecwd as `/'
ftp> cd outgoing
---> CWD outgoing
250 Directory successfully changed.
---> PWD
257 "/outgoing"
got remotecwd as `/outgoing'
ftp> dir
---> EPSV
229 Entering Extended Passive Mode (|||30575|)
---> LIST
150 Here comes the directory listing.
drwxrwxr-x    2 ftp      ftp          4096 Oct 17 13:52 200809
drwxrwxr-x    2 ftp      ftp          4096 Jan 26 19:04 200811
-rwxrwxrwx    1 ftp      ftp       4919449 Jan 26 19:04 contbecon2004.zip
-rwxrwxrwx    1 ftp      ftp       7193964 Jan 26 19:08 ehsacron2009.zip
-rwxrwxrwx    1 ftp      ftp      230810621 Jan 26 19:06 ehsdent2008.zip
-rwxrwxrwx    1 ftp      ftp      70208958 Jan 26 19:08 ehsvision2009.zip
-rwxrwxrwx    1 ftp      ftp      158006422 Jan 26 19:10 pearsonwwww2007.zip
226 Directory send OK.
ftp> get contb---> EPSV
---> NLST
econ2004.zip
local: contbecon2004.zip remote: contbecon2004.zip
---> TYPE I
200 Switching to Binary mode.
---> SIZE contbecon2004.zip
213 4919449
---> EPSV
229 Entering Extended Passive Mode (|||30684|)
---> RETR contbecon2004.zip

421 Service not available, remote server timed out. Connection closed

I'm kind of at a loss as to why the directory listings work via passive ftp but not file transfers. Anyone have any thoughts?

kentyler · 01-30-2009, 02:38 PM

Does this happen without the extra things in the config like:

pasv_min_port=30000
pasv_max_port=30999
virtual_use_local_privs=YES
pasv_promiscuous=YES

amb1545 · 01-30-2009, 02:51 PM

Quote:

Originally Posted by kentyler

Does this happen without the extra things in the config like:

pasv_min_port=30000
pasv_max_port=30999
virtual_use_local_privs=YES
pasv_promiscuous=YES

It definitely occurs with every combination of pasv_ config attributes I've tried and without them as well. I haven't tried without virtual_use_local_privs... I can try that out though.

kentyler · 02-02-2009, 08:12 AM

Do you have any firewall rules loaded?

What does iptables -Ln return?

amb1545 · 02-02-2009, 09:10 AM

Quote:

Originally Posted by kentyler

Do you have any firewall rules loaded?

What does iptables -Ln return?

No iptables rules are loaded

Code:

[root@concord ~]# iptables -Ln
iptables: No chain/target/match by that name
[root@concord ~]# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

kentyler · 02-03-2009, 12:07 PM

Just recently I had a client who was not able to get passive to work and it turned out to be a problem with a route that was missing on the server. Please verify all routes. Also are you able to do passive locally?

If you try ftp localhost will passive work? This would rule out a network issue if it did not.

amb1545 · 02-05-2009, 11:23 AM

Quote:

Originally Posted by kentyler

Just recently I had a client who was not able to get passive to work and it turned out to be a problem with a route that was missing on the server. Please verify all routes. Also are you able to do passive locally?

If you try ftp localhost will passive work? This would rule out a network issue if it did not.

I just tested it and localhost via passive is timing out as well.

kentyler · 02-05-2009, 12:53 PM

Did you try with a default config file? If it times out when you ftp to localhost then there is an issue with vsftpd.