VSFTP in passive mode - Redhat

This is a discussion on VSFTP in passive mode - Redhat ; For some reason I can not get VSFTPD to work in passive mode. I am running Fedora C4. When I FTP into the site I get connected but when I type "ls" for a directory I get "Entering Passive Mode ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: VSFTP in passive mode

  1. VSFTP in passive mode

    For some reason I can not get VSFTPD to work in passive mode. I am
    running Fedora C4. When I FTP into the site I get connected but when I
    type "ls" for a directory I get

    "Entering Passive Mode (xx,xx,xx,xxx,xx,xx)
    ftp: connect: No route to host"

    If I exit passive mode by entering "pass" the directory comes across. I
    do not have a "pasv_enable=no" in the vsftpd.conf file so it should be
    on by default. I have also discovered that if I turn off the firewall
    (iptables) FTP works in passive mode so I am placing a copy of the
    "iptables -L" below.

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    RH-Firewall-1-INPUT all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain RH-Firewall-1-INPUT (2 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere
    ACCEPT icmp -- anywhere anywhere icmp any
    ACCEPT ipv6-crypt-- anywhere anywhere
    ACCEPT ipv6-auth-- anywhere anywhere
    ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
    ACCEPT udp -- anywhere anywhere udp dpt:ipp
    ACCEPT all -- anywhere anywhere state
    RELATED,ESTABLISHED
    ACCEPT tcp -- anywhere anywhere state NEW
    cp dpt:ssh
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp dpt:http
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp dpt:ftp
    ACCEPT tcp -- anywhere anywhere state NEW
    tcp dpt:smtp
    REJECT all -- anywhere anywhere reject-with
    icmp-host-prohibited
    [

    Thanks

  2. Re: VSFTP in passive mode

    On Thu, 09 Feb 2006 13:41:04 -0600, Sam Watson wrote:

    > For some reason I can not get VSFTPD to work in passive mode. I am
    > running Fedora C4. When I FTP into the site I get connected but when I
    > type "ls" for a directory I get
    >
    > "Entering Passive Mode (xx,xx,xx,xxx,xx,xx)
    > ftp: connect: No route to host"
    >
    > If I exit passive mode by entering "pass" the directory comes across. I
    > do not have a "pasv_enable=no" in the vsftpd.conf file so it should be
    > on by default. I have also discovered that if I turn off the firewall
    > (iptables) FTP works in passive mode ....


    Sorry for the massive bump of this post. Probably way off here, but have
    you set up a passive port range ? I'm thinking this might be the problem
    when you said about turning off the firewall.

    You've probably sorted it now, but the simplest way I can try and help
    if you haven't is to show you the pertinent sections of my vsftpd.conf :

    pam_service_name=vsftpd
    userlist_enable=YES
    userlist_deny=YES
    #enable for standalone mode
    listen=YES
    tcp_wrappers=YES
    pasv_address=82.29.34.23
    pasv_promiscuous=YES
    pasv_enable=YES
    hide_ids=YES
    pasv_min_port=xxxxx
    pasv_max_port=xxxxx
    chroot_local_user=YES
    max_clients=x
    no_anon_password=YES

    The way I understand it, running passive mode puts the 'security burden'
    on the server, ie. it has to open up ports. In active mode, the 'security
    burden' is on the client, with them having to accept incoming connections
    originating from port 20 of the FTP server they're connecting to.
    (Corrections most welcome).

    (All FTP connections are TCP. None are UDP AFAIK.)

    For my vsftpd.conf, I've had to input the appropriate rules in my IPTables
    firewall too.

    /sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT
    /sbin/iptables -A INPUT -i eth0 -p tcp --dport xxxxx:xxxxx -j ACCEPT

    Where 'xxxxx:xxxxx' is the lowest port number:highest port number in the
    range you want to specify, for the passive FTP ports.

    HTH and sorry if it didn't.

    Regards,

    News.

    P.S. Can you connect to mine ?





  3. Re: VSFTP in passive mode

    in order to solve this problem:

    on the firewall (if linux):
    load module ip_nat_ftp

    on the server itself (if linux)
    load the same module and enable incoming connections on port 20 and 21


+ Reply to Thread