i am having an issue connecting to my ftp from the outside world. i am running pure-ftpd if i use the internal ip 192.xxx.x.xxx i connect right away. if i use the site url i can not connect. i have checked and i have port 20-23 forwarded to the server. i really dont know what to do to fix this.

this is what i get when i try to log in through filezilla
Status: Resolving address of mysite.com
Status: Connecting to xx.xxx.xxx.52:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 5 of 50 allowed.
Response: 220-Local time is now 15:53. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: USER aqua
Response: 331 User aqua OK. Password required
Command: PASS **********
Response: 230 OK. Current restricted directory is /
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Extensions supported:
Response: EPRT
Response: IDLE
Response: MDTM
Response: SIZE
Response: MFMT
Response: REST STREAM
Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response: MLSD
Response: AUTH TLS
Response: PBSZ
Response: PROT
Response: UTF8
Response: ESTA
Response: PASV
Response: EPSV
Response: SPSV
Response: ESTP
Response: 211 End.
Command: OPTS UTF8 ON
Response: 200 OK, UTF-8 enabled
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (73,226,196,52,195,128)
Command: MLSD
Error: Connection timed out
Error: Failed to retrieve directory listing

and this is the output of netstat -tap

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:ssh *:* LISTEN 1029/sshd
tcp 0 0 *:smtp *:* LISTEN 1724/master
tcp 0 0 localhost:953 *:* LISTEN 1031/named
tcp 0 0 192.168.1.104:59327 *:* LISTEN 20409/pure-ftpd (ID
tcp 0 0 localhost:10023 *:* LISTEN 1290/postgrey.pid -
tcp 0 0 192.168.1.104:41384 *:* LISTEN 25971/pure-ftpd (ID
tcp 0 0 localhost:10024 *:* LISTEN 1478/amavisd-new (m
tcp 0 0 localhost:9000 *:* LISTEN 1027/php-fpm.conf)
tcp 0 0 localhost:10025 *:* LISTEN 1724/master
tcp 0 0 192.168.1.104:59050 *:* LISTEN 20019/pure-ftpd (ID
tcp 0 0 localhost:10026 *:* LISTEN 1478/amavisd-new (m
tcp 0 0 localhost:10027 *:* LISTEN 1724/master
tcp 0 0 localhost:11211 *:* LISTEN 1034/memcached
tcp 0 0 *:webmin *:* LISTEN 32392/perl
tcp 0 0 *:urd *:* LISTEN 1724/master
tcp 0 0 *:ftp *:* LISTEN 7516/pure-ftpd (SER
tcp 0 0 192.168.1.104:domain *:* LISTEN 1031/named
tcp 0 0 localhost:domain *:* LISTEN 1031/named
tcp 1 0 192.168.1.104:ftp c-73-226-196-52.h:51106 CLOSE_WAIT 20019/pure-ftpd (ID
tcp 0 248 192.168.1.104:ssh c-73-226-196-52.h:51511 ESTABLISHED 26786/sshd: kwick [
tcp 0 0 192.168.1.104:ssh c-73-226-196-52.h:50308 ESTABLISHED 24998/sshd: kwick [
tcp 1 0 192.168.1.104:ftp c-73-226-196-52.h:51206 CLOSE_WAIT 25971/pure-ftpd (ID
tcp 1 0 192.168.1.104:ftp c-73-226-196-52.h:51128 CLOSE_WAIT 20409/pure-ftpd (ID
tcp6 0 0 [::]:ssh [::]:* LISTEN 1029/sshd
tcp6 0 0 [::]:smtp [::]:* LISTEN 1724/master
tcp6 0 0 localhost:953 [::]:* LISTEN 1031/named
tcp6 0 0 [::]:https [::]:* LISTEN 6316/apache2
tcp6 0 0 localhost:10023 [::]:* LISTEN 1290/postgrey.pid -
tcp6 0 0 localhost:10024 [::]:* LISTEN 1478/amavisd-new (m
tcp6 0 0 localhost:10026 [::]:* LISTEN 1478/amavisd-new (m
tcp6 0 0 [::]:mysql [::]:* LISTEN 1381/mysqld
tcp6 0 0 [::]:webmin [::]:* LISTEN 32392/perl
tcp6 0 0 [::]:http [::]:* LISTEN 6316/apache2
tcp6 0 0 [::]:tproxy [::]:* LISTEN 6316/apache2
tcp6 0 0 [::]:urd [::]:* LISTEN 1724/master
tcp6 0 0 [::]:8181 [::]:* LISTEN 6316/apache2
tcp6 0 0 [::]:ftp [::]:* LISTEN 7516/pure-ftpd (SER
tcp6 0 0 [::]:domain [::]:* LISTEN 1031/named
tcp6 0 0 192.168.1.104:8181 c-73-226-196-52.h:51520 ESTABLISHED 16136/apache2

You are connected but the problem is due to the router's firewall blocking the ephemeral ports. There is lots of information on how FTP passive/active modes work but in a nutshell FTP uses multiple ports. In passive mode they are randomly assigned unused ports > 1023.

If the server is running a firewall iptables can track the random ports but the router can not. You need to assign a range to be used by pure-ftpd and then open those ports in the router.

This assigns the port range 30000-50000. Ports are numbered 0 - 65535 and I think the default ephemeral range defined by the kernel is 32768 through 61000. You need two ports per connection.

However the better question is why are you using FTP from the outside world. Using sftp would be better.

1 members found this post helpful.

sorry i should have posted this i had added ports as follows

echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange
/etc/init.d/pure-ftpd-mysql restart

then forwarded in router and also added to firewall 20,21,22,25,53,80,110,143,443,3306,8080,10000,40110:40210

so do you think i need to expand the port range?

You should not have to expand the range. You restarted pure-ftpd and it still isn't working... Have you tried active mode?

1 members found this post helpful.

no i have not not sure how to do that.

thanks for the reply


kwick

ok i seen how to force active in filezilla and this is what i am getting now

Status: Resolving address of mysite.com
Status: Connecting to xx.xxx.xxx.xx:21...
Status: Connection established, waiting for welcome message...
Response: 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response: 220-You are user number 1 of 50 allowed.
Response: 220-Local time is now 19:52. Server port: 21.
Response: 220-This is a private system - No anonymous login
Response: 220-IPv6 connections are also welcome on this server.
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: USER aquameds
Response: 331 User aqua OK. Password required
Command: PASS **********
Response: 230 OK. Current restricted directory is /
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Extensions supported:
Response: EPRT
Response: IDLE
Response: MDTM
Response: SIZE
Response: MFMT
Response: REST STREAM
Response: MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response: MLSD
Response: AUTH TLS
Response: PBSZ
Response: PROT
Response: UTF8
Response: ESTA
Response: PASV
Response: EPSV
Response: SPSV
Response: ESTP
Response: 211 End.
Command: OPTS UTF8 ON
Response: 200 OK, UTF-8 enabled
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PORT 192,168,1,109,229,205
Response: 200 PORT command successful
Command: MLSD
Response: 425 Could not open data connection to port 50059: Connection refused
Error: Failed to retrieve directory listing

Was the posted log before or after you added the passive port range? It shows ports being used outside the range.

1 members found this post helpful.

i changed the transfer settings to active after i added the passive port range

I would try to start the server from the command line versus the start script and specify the port range to see if that works. Assuming you can figure all the other necessary options.

-p --passiveportrange <minport:maxport>

1 members found this post helpful.

thank you for all your help. i went into the router and deleted the ftp info i had added then i restarted the router. then i reran

echo "40110 40210" > /etc/pure-ftpd/conf/PassivePortRange
/etc/init.d/pure-ftpd-mysql restart


then added this port range back in the forwarding and now it all works. maybe the router was not making the changes

thank you once again

Glad it worked. I was running out of ideas...

2 members found this post helpful.

Interesting discussion! Just FYI for future problems, I'm finding that my AT&T Uverse installation doesn't require specific opening of a passive-port block. I have to maintain a private FTP server for folk to upload huge database files to me for recovery, and use proftpd for it. I have the server locked down as tight as I can achieve, and use passive mode. When opening a pinhole in the AT&T-supplied "gateway" I only tell it the type and model of server I run, and it Just Works.

Incidentally, when I had port 25 open to the world for my postfix installation, I was averaging around 1,000 invasion attempts per day (all blocked by my internal firewalling). I recently had to reset the gateway and consequently reconfigure its pinholes; it now only allows FTP and the only connections to my local mail server are the two I get from my LAN! Unless they are really necessary I'd recommend that kwikcut leave 22 and 25 blocked at the router!

1 members found this post helpful.