VSFTPD Connection Times Out, Then Setting Passive Mode Works, Why?
 

I'm testing vsftpd in a VM environment with various version of RHEL.

I'm trying to log in from a client to a vsftp server as anonymous, and I can log in, however when I run ls to list files on the vsftpd server, I continue to get:

Not sure why, and Googling around, I find a very helpful thread on Linuxquestions.org:
https://www.linuxquestions.org/quest...nnects-903987/

I do what they recommend:

- open ports on iptables 50000-51000

- in /etc/vsftpd/vsftpd.conf, I add the following:

Restart vsftpd, however it tells me there is a binary error. So I go back to that conf file and comment out the pasv_enable, port_enable and pasv_address. Restart it and it works. I am able to log in as user anonymous, and browse /var/ftp and copy files down to my local server.

The thing is that I'm not understanding the why? This is called passive mode and why when enabling this on iptables, along with making entries under /etc/vsftpd/vstpd.conf, why it worked?

pasv _enable and port_enable are on by default. Most likely, the pasv_address line also reflects the default. So, commenting them out won't change anything.

I do wonder about this binary error. What.'s the precise error message, and how do you get it?

The reason why ftp failed originally is the firewall blocking the ports used for data transfer. These ports are determined by the vsftpd on the fly, so that it's impossible to predict them and to open them in your firewall. The pasv_min_port and pasv_max_port clauses make them predictable.

A (better?) different way to get through the firewall is not changing the vsftpd config, but adding an iptables rule that uses the ip_conntrack_ftp module, which is able to detect the port the vsftpd sets up for data transfer.

I'm not sure about this. I had to add lines to /etc/vsftpd/vsftpd.conf and then it worked, along with the right iptables entries. How does one know that vsftpd is set to passive?

A couple of searched found this for setting up passive mode ftp via iptables:

http://blogs.reliablepenguin.com/201...-with-iptables

When I searched /etc/sysconfig/iptables-config, I don't see that entry in the current file.

I've also looked thru the various man pages for vsftpd and see a few other threads here at Linuxquestions and to me it seems that the documentation for vsftpd seems to be lacking in some areas.

thanks

RTFM http://linux.die.net/man/5/vsftpd.conf.
It's not in iptables-config because neither you nor Red Hat put it there. By default, Red Hat closes all ports except for the secure shell.

If you don't trust the above link (judging from a superficial glance, it looks correct), perhaps there is documentation at the source - netfilter.org.

Better raise this to the author https://security.appspot.com/vsftpd.html.

This is good background reading http://slacksite.com/other/ftp.html