Configure Passive FTP Server with VSFTP
Firewalls attempting to protect their workstation clients behind them make it nearly impossible to use active FTP for transferring files because the firewall will not allow the server to initiate the data port to the client. Typically, the connection will default to passive ftp to transfer the files. Passive FTP has the benefit of allowing the client to initiate all of the connections which allows it work better through firewalls. Typically, Passive FTP resolves the problem, but sometimes it doesn’t. In these cases, it can require some configuration to get it working properly. Our example today is using vsftp, which you can easily install (yum install vsftpd) and will help you resolve passive FTP data port problems
How to Determine if You Have a Problem with the FTP Data Port
To determine if you have a problem with ftp due to the data port, you can find out easily by logging in to ftp and using the “ls” command. If the command hangs and doesn’t return, you can be sure that you have a problem with the ftp data port. This symptom is characterized by the command port working while the data port does not.
| $ ftp ftp.uptimemadeeasy.com Connected to uptimemadeeasy.com. 220 (vsFTPd 2.2.2) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (ftp.uptimemadeeasy.com:mary): mary 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,241,213,28,36,33). ftp: connect: Connection timed out |
Why Does FTP Hangs on LS!
In the example above, the “ls” command times out and never returns because the passive ftp data port doesn’t connect. Luckily, we can fix the passive ftp data port problem pretty easily.
Defining a Passive FTP Port Range
All ftp configuration in vsftp is done in the /etc/vsftpd/vsftpd.conf. We can define the passive data port by setting the range using the pasv_min_port and pasv_max_port by adding the following lines to the file and setting the high port values that we want to use for the upper and lower boundaries:
| pasv_min_port=49152 pasv_max_port=65534 |
Additionally, you will want to enable the “ip_conntrack_ftp” module in your ftp server’s iptables configuration. You can enbale ip_conntrack_ftp by editing the /etc/sysconfig/iptables-config file:
| # Space separated list of nat helpers (e.g. ‘ip_nat_ftp ip_nat_irc’), which # are loaded after the firewall rules are applied. Options for the helpers are # stored in /etc/modprobe.conf. IPTABLES_MODULES=”ip_conntrack_ftp” |
Now, restart the iptables and vsftpd services:
| # service vsftpd restart Shutting down vsftpd: [ OK ] Starting vsftpd for vsftpd: [ OK ] # service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] iptables: Loading additional modules: ip_conntrack_ftp [ OK ] |
That should resolve the problem. Let’s try to execute the “ls” command again:
| $ ftp uptimemadeeasy.com Connected to uptimemadeeasy.com. 220 (vsFTPd 2.2.2) 530 Please login with USER and PASS. 530 Please login with USER and PASS. KERBEROS_V4 rejected as an authentication type Name (uptimemadeeasy.com:mary): mary 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (192,241,213,28,232,203). 150 Here comes the directory listing. -rw-r–r– 1 500 500 789218 Aug 10 14:37 file1.txt -rw-r–r– 1 500 500 2738873 Aug 25 02:23 file2.txt -rw-r–r– 1 500 500 702726 Aug 10 14:37 file3.txt -rw-r–r– 1 500 500 510331 Aug 10 14:37 file4.txt 226 Directory send OK. ftp> |
The “ls” command worked this time and the listing returned without issue. Problem solved!
Latest posts by Jeff Staten (see all)
- Configure Your HP Procurve Switch with SNTP - May 5, 2015
- Configuring HP Procurve 2920 Switches - May 1, 2015
- Troubleshooting Sendmail - November 28, 2014
