can connect but not list files

epoo · 05-24-2007, 08:33 PM

I'm using a slackware 11 box, trying to connect from outside my network through my router. I have port 77 on the router forwarded to port 21 on my server, and ports 7777-8000 allowed through the router. In vsftpd.conf I have the 2 lines

Code:

pasv_min_port=7777
pasv_max_port=8000

at the end.
I have tried it with and without my external ip in the "pasv_address=" line.

When I try to connect, it connects and shows me at /home/epoo, but just says "working" when trying to list the files. If I do a netstat -tpan I see:

Code:

tcp        0      0 192.168.0.100:7940      0.0.0.0:*               LISTEN     2157/vsftpd
tcp        0      0 192.168.0.100:7950      0.0.0.0:*               LISTEN     2160/vsftpd
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN     2138/inetd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     1581/sshd
tcp        0    300 192.168.0.100:22        165.234.90.3:39175      ESTABLISHED2050/sshd: epoo [p
tcp        0      0 192.168.0.100:21        165.234.90.3:49650      ESTABLISHED2160/vsftpd

I'm connected remotely through ssh, hence the ssh connection.
What am I doing wrong?

jeenam · 05-24-2007, 08:41 PM

Is your ftp client set to PASV mode?

epoo · 05-24-2007, 08:57 PM

Yes. I'm using the fireftp firefox add-on.

Code:

FireFTP 0.96.4 'Loomer', created by Mime Čuvalo
220 (vsFTPd 2.0.5)
       USER epoo
331 Please specify the password.
       PASS (password not shown)
230 Login successful.
       FEAT
211-Features:
EPRT
EPSV
MDTM
PASV
REST STREAM
SIZE
TVFS
211 End
       PWD
257 "/home/epoo"
       TYPE A
200 Switching to ASCII mode.
       PASV
227 Entering Passive Mode (24,111,51,224,31,45)
       LIST

Then it just says "working..." and times out.

epoo · 05-25-2007, 06:04 PM

Anyone else ?

p_s_shah · 05-26-2007, 02:23 AM

Check this, it may help you.
Link : http://slacksite.com/other/ftp.html

Quote:

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

* FTP server's port 21 from anywhere (Client initiates connection)
* FTP server's port 21 to ports > 1023 (Server responds to client's control port)
* FTP server's ports > 1023 from anywhere (Client initiates data connection to random port specified by server)
* FTP server's ports > 1023 to remote ports > 1023 (Server sends ACKs (and data) to client's data port)

If problem still persist,
1. Remove all restrictions from router and test.
2. Directly route port 21 from router to Server and test.

Update us with your findings.

epoo · 06-05-2007, 01:14 PM

I appreciate your response.
The router's port 77 is forwarded to the server's port 21. The vsftp server setup uses the passive ports 7777-8000, which are forwarded to the server from the router. All ports are allowed to exit from the server to the internet. I just added another rule for 1023-65535 to be allowed to the server, but I'm not sure that will change anything since I already had the passive ports allowed before.

epoo · 06-05-2007, 07:46 PM

Well, it looks like that did it. I thought I would only need to allow 7777-8000, but it didn't work until I allowed 1023-65535.

Now another question. Isn't it terribly insecure to forward all those ports to my server ? Is there a way to set up iptables to only allow the connection to the ftp server, or do I have to allow all those ports ?

jeenam · 06-07-2007, 09:43 AM

Seems the pasv port range of 7777-8000 are not being allowed through your router properly. The pasv_min and pasv_max settings do work properly and I have configured numerous ftp servers using that configuration. Is iptables configured on the ftp server? Perhaps the ports need to be allowed by iptables.

Try adding these to your configuration as well:

pasv_addr_resolve=YES
pasv_address=any.address.you.like
pasv_promiscuous=YES