I have two questions about vsftpd.

The default ftp port is 21 (and also 20 for data transfer?), I would like to change it to, say 10021. Therefore, in the vsftpd.conf file, I write:

listen=YES
listen_port=10021

Using this config, I start the vsftpd. When using local login, everything are fine. But when I login from another computer, problems happened: It DID prompt me for user name and password, but when I enter them correctly, The connection was lost. But when I config the vsftpd to use port 21. The problem did not occur. I am very sure that I had my firewall opened at those port. Therefore I suspect that the problem is due to the setting of alternate port. What should I do?

The 2nd question, is about virtual user management. According to the example coming along with the package, I can add an account, say, called "virtual" and map any virtual user login to that user "virtual". Then these users will have certain access permission to certain directories, say, "/home/ftpsite". But this means that all virtual user login will share that directories. Can I have different virtual users having access to different directories?

Thanks very much in advance!

About 1st question:
So you can connect to port 10021, but the connection is dropped too fast, right? If no firewall is blocking the access, maybe it's just a time-out. So please check:
* Do you use keep-alive messages to keep the connections open?
* Do you use passive mode FTP? If not, then why do you insist on using a unprivileged port (>1024) for the control connections?
* Have you considered the "run_as_launching_user" option?

About your 2nd question: I actually have different virtual users. One for downloading data (no write), another for uploading to a specific directory, etc.
The trick is to have not only virtual users enabled (really easy to set up using PAM modules), but also to take benefit of the user-specific confiration option ("user_config_dir" option).
You can then do all kinds of useful tricks, like mapping virtual users to different real ones, combining real & virtual users, playing with the permissions per user,...
Additionally, the "user_sub_token" option can also help you create home directories for specific users, if you want to use a specified pattern as explained in "man vsftpd.conf".

About the first question , you can not change the port of the ftp service, because the client will connect by default to port 21.

If you change it to for example 10021, you have to change the client behavior which means to rewrite the client code again.

Thanks for all you said! They are useful indeed!

But I still have a 2 question.

The first one is that I don't understand how to "map different virtual users to real users". In my understanding, when I specify:
guest_username=virtual
I've mapped all different virtual users (say tom and fred) into the real user virtual. Even if I add
user_config_dir=/etc/vsftpd_user_conf
I can manipulate their individual conf files, but they are still corresponding to the single real user, virtual. So how can I map different virtual users to real ones?

The 2nd question is a much more important one. Now I have two virtual users, tom and fred, mapped to virtual. In the /etc/vsftpd.conf, I added,
user_sub_token=$USER
and in their individual conf files (/etc/vsftpd_user_conf/tom etc), I added,
local_root=/home/ftpsite/$USER
So, now tom and fred have their root in, respectively,
/home/ftpsite/tom &
/home/ftpsite/fred
Now my question is, if I want, within both of these two directories, a link to a particular folder (say, /home/pub) where they can download stuff but not upload there, what should I do? I tried to make a symbolic link in each of the virtual users' home directory to that /home/pub, but I cannot gain access to the directory through that symlink.

What should I do?

For the first question: try putting the guest_username= line in both tom's and fred's config files, rather than the overall vsftpd config. By assigning two different guest_username values in each config, you'll be mapping tom to one real user and fred to another.

For the second: there's no need to put the local_root parameter in tom's and fred's config files separately, as the values are the same for both.
You could also match them to 2 different real users with appropriate home directories, but I don't recommend that, as it somewhat bypasses the point of having virtual users.
For using the link, you should make sure that:
1. the real user that tom/fred are matched to has the possibility to access the directory. This means that this user must have at least read and execute permission on all directories in the path that the symlink points to. So, if the link points to let's say /home/pub, the real user must have at least rx permission to /, /home and /home/pub. You can use "ls -ld / /home/ /home/pub" to check that.
2. I'm not sure if it's possible to restrict vsftpd to permit only downloads from a specific directory. It would probably be safer to make sure that the real user that tom/fred are mapped to does NOT have write permission on the dir that the symlink points to (ie /home/pub).
3. If you have chroot enabled, the chroot jail will prevent the link to /home/pub from working. If you want to keep the chroot jails for safety and still have the shared "pub" directory, you should either use hard links
instead of symbolic ones or use "mount --bind" (but the latter requires that you put the "pub" dir on a separate partition).

Just a minor note: /home is for users' home directories. So a shared directory like "pub" shouldn't be in there (imagine you ever want to create a user called "pub"). So I recommend to use a different path.