Improve company productivity with a Business Account.Sign Up


firefox and linux ftp cannot connect to vsftpd server.  It seems that vsftpd changes ports every time.

Posted on 2004-04-06
Medium Priority
Last Modified: 2012-06-27
I have found out that FTP can turn out to be a major pain and although I have found many postings regarding this subject, I have yet to find a clear answer.  That is why I am giving this question a bunch of points.  The issue can be summed up as follows:
1. unix ftp client has problem with vsftpd server
2. firefox(regardless of windows or linux) has problems with vsftpd server
3. IE has no problems with vsftpd server
4. IE has problems with vsftpd server only when it is routed through a linux machine acting as router/firewall/NAT

Below are the specifics to this problem.  I tried adding pasv_promiscuous=YES to vsftpd along with other settings but I still cannot connect using firefox or linux, besides, it works on IE. I believe the problem to be that every time I connect to the ftp server it seems to connect to a different port.  All of my linux machines are running a firewall so they are probably blocking the traffic although they are able to log in.
Every time I connect to vsftpd I get the line "(192,168,123,177,164,56)" with the last two numbers always changing.  Is there a way to have vsftpd connect on the same port every time?  What about the connect_from_port_20=YES option?  Any suggestions?

Network layout:

                                                 | Firewall PC (linux) ->     | Win2K pc
                                                 | Dell(XP)
Verizon DSL modem -> router ->      | ftp server (linux)
                                                 | HP(XP)
                                                 | wireless (router) ->      | fujitsu(XP)
                                                                               | dell(XP)

Firewall PC (acts as router with firewall and NAT)
  linux ftp:
    230 Login successful. Have fun.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> passive
    Passive mode off.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    425 Failed to establish connection.
    425 failed to establish connection

Win2K pc (through Firewall PC)
    200 switching to ASCII mode
    500 illegal PORT command
    500 unknown command
  dos ftp
    500 Illegal PORT command
    425 Use PORT or PASV first.

  dos ftp
    works for uploads and downloads
    425 failed to establish connection

  IE (6.0.2800.1106xpsp2.030422-1633IC)
  dos ftp

dell(XP) through wireless router
  IE (6.0.2800.1106xpsp2.030422-1633IC)
  dos ftp

fujitsu(XP) through wireless router
  IE (6.0.2800.1106.xpclnt_qfe.021108-2107IC)
  dos ftp
    425 failed to establish connection
Question by:bisonfur37
  • 2
LVL 40

Accepted Solution

jlevie earned 1000 total points
ID: 10769543
FTP can operate in ACTIVE or PASSIVE mode. There's a good discussion of the two modes at, but in brief:

ACTIVE mode requires ports 21/TCP, and the ephemeral ports (1024-65535) to be open on the firewall the FTP server is behind. And on the client side port 20/TCP must be allowed as an inbound connection.

PASSIVE mode requires ports 21/TCP, and the ephemeral ports (1024-65535) to be open on the firewall the FTP server is behind. On the client side there's no requirement for an inbound connection from the FTP server.

Opening all of the ephemeral ports is something of a security risk and unless you have an outside IP that can be dedicated to the FTP server it can present a problem for a local network behind a NAT'ing firewall. I don't know about vsftpd, but ProFTP cna be configured to limit the client's choice of ephemeral ports to a subset of the possible range, leaving sufficient other ephemeral ports for use by NAT. Then you configure the firewall to allow inbound connections within that range, and possibly forward those ports to the FTP server.

Author Comment

ID: 10769927
Good.  Thank you for the explanation.  Now I will look for a way to restrict the range of ports.  I'll close this answer soon and you definitely take most, if not all of the points.  Thank you.
LVL 40

Expert Comment

ID: 10770773
I just looked at the vsftpd docs and the config directives pasv_max_port & pasv_min_port allow the restriction of the ephemeral port range, see 'man vsftpd.conf'

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In the video, one can understand the process of resizing images in single or bulk. Kernel Bulk Image Resizer is an easy to use tool for resizing large number of images. One can add and resize multiple images with this tool in single go. The video sh…

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question