Allowing Passive and Active FTP Connection
 

I've set up a server purely for FTP, and let it for my staff to use. Only when they complain they can't connect then i realise.. there's a difference between passive and active... their ftp client (FileZilla) defaults to passive, which somehow it seems to be waiting for something - can't connect.

Setting it to active solve all issue. I read abit abt it... but so far.. the one way which i did was to shutoff iptables...

I don suppose allowing passive/active connection is anything to do with vsftpd.conf.. cos i did try the online reference on setting the parameters (with the port range etc etc) and it didn't work at all. Only after I shut off the iptables then it did...

so I suppose I need to open some/certain ports in ip tables for it to work.. but what...

any guys can advice?

Many thanks

Normal FTP is active. Client opens port 21 to server for FTP control, server then intructs client to open a dynamic listening port which the server then connects into for data. So you end up with an incomming session into the client. Obviously most firewalls won't allow this by default and its almost impossible to set up rules because the listening port is dynamic so your firewall would have to be able to keep state information on FTP sessions which most won't.

Passive FTP was introduced as the fix. Here the server opens a dynamic listening port for data and tells the client to open a second session in. So both sessions are client to server oriented and therefore the firewall protecting the client doesn't need to do anything special.

The firewall protecting the server however needs to be aware that the FTP server may be listening on any port for data sessions and so need to allow incomming connections to any port on. Unless the firewall is intelligent enough to see what port the ftp session on port 21 has negotiated which I doubt iptables are.

No need to shut off iptables. Just run this somewhere (like your rc.local script):
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack

And you should be good after that.

I stand corrected, it is clever enough, cool :)

i shut off iptables and both worked flawlessly...

what does the 2 command do?

*argh double post.. how to delete .. :p

To be simple, theose 2 commands turn on the ip connection tracking modules. The FTP connection is made, and those modules allow the passive ports to be utilized.

So I run them to allow passive mode... active mode will still be available right?

How about disabling it.. should I need to disable passive mode, do I run the same commands again?

Just curious: Is there ways to let the server ONLY accept passive mode and not active mode?

What is the prefered/recommended mode of connection for a standard ftp server?

Many thanks, and Merry Christmas!