PDA

View Full Version : vsftp over internet



RobinQi
24th September 2008, 06:49 PM
Hi! I just finished installing Fedora 9, everything looks good except I can't ftp to my server over the internet. Can someone help?

I have following setting in my vsftpd.conf:

listen_port=5000
ftp_data_port=5001
pasv_promiscuous=YES

Both port 5000 and 5001 are open in my firewall on the fedora server
Both port 5000 and 5001 are open in my firewall on my router
SELinux is disabled.

I can connect from another PC sitting on the same subnet, everything works. But when I connect from my office to the server(which sits in my home), I can log on successfully, but when I do "ls" or try to download a file, it times out. I think I know what the problem is, but I am not sure how to solve it:

From my ftp client, it prints following message:
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (192,168,1,106,220,69).

So clearly it was using passive mode. But two questions here:
1 Why would the server pass 192,168,1,106? This is the ip address of my fedora server, it is (of course) not visible from outside of my home.
2 Why would it use port 220 x 256 + 69 = 56389 as data port? This is a random port, my router is definitely going to block any connections from outside to this port. I've already configured the vsftpd.conf to use port 5001, but it didn't seem to take effect.

Any suggestions are welcomed!

briantan
24th September 2008, 07:01 PM
To restrict passive ports range, use these two parameters. Default 0-65535. Eg for range of 65000-65100


pasv_min_port = 65001
pasv_max_port = 65100

You can then open firewall for these port range only.

That 5001 is for active data port.

EDIT: you can set pasv_min_port the same as pasv_max_port. Then only 1 port needs to be opened. (also limit simultaneous access to one, I think).

RobinQi
24th September 2008, 07:39 PM
Thanks briantan. That solved my 2nd issue, now the vsftpd passes me back the exact port I wanted it to. But I still got time out, I guess the 1st issue remains, it still pass back a local IP address. 192.168.1.106 which is not visible from internet. Is there a config to change that?

briantan
24th September 2008, 08:45 PM
Thanks briantan. That solved my 2nd issue, now the vsftpd passes me back the exact port I wanted it to. But I still got time out, I guess the 1st issue remains, it still pass back a local IP address. 192.168.1.106 which is not visible from internet. Is there a config to change that?
Should not matter. What you need is for router to forward the passive port(s), and for iptables to accept the port(s).

Also, try setting default "pasv_promiscuous = NO"

EDIT: Works for me :)

Wed Sep 24 15:43:20 2008 [pid 7733] [briantan] FTP response: Client "212.34.56.78", "227 Entering Passive Mode (192,168,3,7,125,1)."
Wed Sep 24 15:43:21 2008 [pid 7733] [briantan] FTP command: Client "212.34.56.78", "LIST"
Wed Sep 24 15:43:21 2008 [pid 7733] [briantan] FTP response: Client "212.34.56.78", "150 Here comes the directory listing."
Wed Sep 24 15:43:22 2008 [pid 7733] [briantan] FTP response: Client "212.34.56.78", "226 Directory send OK."
Wed Sep 24 15:46:22 2008 [pid 7733] [briantan] FTP command: Client "212.34.56.78", "QUIT"
Wed Sep 24 15:46:22 2008 [pid 7733] [briantan] FTP response: Client "212.34.56.78", "221 Goodbye."

RobinQi
25th September 2008, 12:21 PM
Still not working. me give up. I am just gonna use scp and sftp. Thanks.