vsftp server handling both active and passive connections

johngaz · 05-01-2013, 01:24 PM

I have what I think is a very basic question but I cannot find a definite answer. I have a server that needs to be able to handle any type of FTP user active or passive and sftp I have sftp working and either active or passive not both. I am using vsftp but would be willing to change if I need different ftp version. I am running suse 11 sp2 I can connect with either passive or active depending on my configuration file, so is thers a ftp server taht can handle both a active and passive connection?

Z038 · 05-01-2013, 02:17 PM

vsftp supports both active and passive modes. The default for the pasv_enable configuration file directive is YES. If you specify NO, then vsftpd is forced to active mode only.

johngaz · 05-01-2013, 02:53 PM

Thanks for the quick response but if I comment out the pasv_enable or set it to YES I cannot get ACTIVE to work it will only respond to PASSIVE request If I set it to NO only active works. So it sounds like what you are saying is if I have PASV_ENABLE set to YES I should be able to either passive or active connections which I do not seem to be able to accomplish.

Z038 · 05-01-2013, 03:22 PM

Yes, I'm saying that pasv_enable=YES (the default value for this parameter) should allow your vsftp server to support both active and passive mode.

I just tested it and both passive and active modes work correctly on my vsftp server. When I connect to my server from another system, it starts out in active mode. If I enter a command, it tells me to consider using PASV.

Code:

ftp> ls -al
200 PORT command successful.  Consider using PASV.
150 Here comes the directory listing.
  (directory listing displayed here)

ftp> passive
Passive mode on.
ftp> ls -al
227 Entering Passive Mode (192.168.1.15,117,146).
150 Here comes the directory listing.
  (directory listing displayed here)

ftp>

johngaz · 05-01-2013, 04:20 PM

Just wondering what happens when you try to get or put a file?

Z038 · 05-01-2013, 05:20 PM

Here is a get for a file on the server, first in active mode, then in passive mode.

Code:

me@home7:/home/me$ ftp ftpsrv1
Connected to ftpsrv1.home.com.
220-Private FTP server - unauthorized access prohibited
220
Name (ftpsrv1:me):
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> cd ftp
250 Directory successfully changed.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-------    1 1000     104            10 May 01 16:59 a.file
226 Directory send OK.
ftp>
ftp> get a.file
local: a.file remote: a.file
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for a.file (10 bytes).
226 Transfer complete.
10 bytes received in 7.4e-05 secs (1.3e+02 Kbytes/sec)
ftp>
ftp>
ftp> passive
Passive mode on.
ftp> get a.file
local: a.file remote: a.file
227 Entering Passive Mode (192,168,1,15,117,144).
150 Opening BINARY mode data connection for a.file (10 bytes).
226 Transfer complete.
10 bytes received in 0.000708 secs (14 Kbytes/sec)
ftp>

As you can see, the get worked in both active and passive modes.

Are your clients Windows, *nix, Mac, or something else?

Have you set up your firewall to allow incoming connections to your server on port 21?

For active mode, does the firewall on your client systems allow the server to open a connection to port 20 on the client?

Do you have these directives in your config file? You might have different min/max port range.

Code:

connect_from_port_20=YES
pasv_enable=YES
pasv_min_port=30000
pasv_max_port=30099

Did you open up your firewall for those ports too?

Code:

iptables -I INPUT -p tcp --destination-port 30000:30099 -j ACCEPT

Can you post your vsftpd.conf file?

johngaz · 05-06-2013, 08:59 PM

Thanks again
looking at your vsftpd.conf file I have my setting set up on the server I have opened the ports on the firewall to allow traffic. I am testing with a ftp from the Windows command line. I have tried from different ISP's but still seem to have the issue.I think the problem may be in my firewall not sending the proper IP address back from the server. Since I know it should work I will look closer at my firewall settings thanks again