[SOLVED] Vsftpd: why the passive port range is not followed?

camerabambai · 03-25-2024, 05:46 AM

I configure vsftpd for passive mode

Code:

    listen=YES
    log_ftp_protocol=YES
    pasv_enable=YES
    pasv_address=192.168.0.2
    pasv_min_port=10090
    pasv_max_port=10100

It works but use random ports!

Look output of ss during transfer

Code:

tcp   ESTAB     0      0                            192.168.0.2:33150     192.168.0.2:21    users:(("ncftp",pid=14411,fd=4)) timer:(keepalive,119min,0) uid:1000 ino:236010 sk:400b cgroup:unreachable:1 <->    
    tcp   ESTAB     0      0                            192.168.0.2:44985     192.168.0.2:20    users:(("ncftp",pid=14411,fd=7)) timer:(keepalive,119min,0) uid:1000 ino:246607 sk:4011 cgroup:unreachable:1 <->

this is ok..without firewall, with firewall and redirect port for nat is a serious problem
Why vsftpd use random ports?

I have tried

Code:

    listen_ipv6=NO

and disable pasv_address option. But nothing

This is the complete configuration, actually

Code:

 anonymous_enable=YES
    connect_from_port_20=NO
    dirmessage_enable=YES
    ftpd_banner=Welcome
    listen=YES
    listen_ipv6=NO
    local_umask=022
    log_ftp_protocol=YES
    ls_recurse_enable=YES
    pasv_address=192.168.0.2
    pasv_enable=YES
    pasv_max_port=10100
    pasv_min_port=10090
    seccomp_sandbox=NO
    xferlog_enable=YES
    xferlog_file=/var/log/vsftpd.log
    xferlog_std_format=YES

Petri Kaukasoina · 03-25-2024, 07:10 AM

In your example the client (ncftp) starts an active ftp connection and it uses random high source ports to initiate the connections. The random port numbers are at the client end and 20 and 21 at the server end.

But you can always 'set passive on' at the ncftp prompt to use a passive data connection.

'pasv_enable=YES' is the default for vsftpd, and it only allows passive, it does not enforce it. The client can initiate either passive or active data connection.

camerabambai · 03-25-2024, 07:38 AM

Thanks, was client problem