Solved

firefox and linux ftp cannot connect to vsftpd server.  It seems that vsftpd changes ports every time.

Posted on 2004-04-06
3
3,634 Views
Last Modified: 2012-06-27
I have found out that FTP can turn out to be a major pain and although I have found many postings regarding this subject, I have yet to find a clear answer.  That is why I am giving this question a bunch of points.  The issue can be summed up as follows:
1. unix ftp client has problem with vsftpd server
2. firefox(regardless of windows or linux) has problems with vsftpd server
3. IE has no problems with vsftpd server
4. IE has problems with vsftpd server only when it is routed through a linux machine acting as router/firewall/NAT

Below are the specifics to this problem.  I tried adding pasv_promiscuous=YES to vsftpd along with other settings but I still cannot connect using firefox or linux, besides, it works on IE. I believe the problem to be that every time I connect to the ftp server it seems to connect to a different port.  All of my linux machines are running a firewall so they are probably blocking the traffic although they are able to log in.
Every time I connect to vsftpd I get the line "(192,168,123,177,164,56)" with the last two numbers always changing.  Is there a way to have vsftpd connect on the same port every time?  What about the connect_from_port_20=YES option?  Any suggestions?

Network layout:

                                                 | Firewall PC (linux) ->     | Win2K pc
                                                 | Dell(XP)
Verizon DSL modem -> router ->      | ftp server (linux)
                                                 | HP(XP)
                                                 | wireless (router) ->      | fujitsu(XP)
                                                                               | dell(XP)

Firewall PC (acts as router with firewall and NAT)
  linux ftp:
    230 Login successful. Have fun.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> passive
    Passive mode off.
    ftp> ls
    200 PORT command successful. Consider using PASV.
    425 Failed to establish connection.
  firefox
    425 failed to establish connection

Win2K pc (through Firewall PC)
  IE:
    200 switching to ASCII mode
    500 illegal PORT command
    500 unknown command
  dos ftp
    500 Illegal PORT command
    425 Use PORT or PASV first.

Dell(XP)
  dos ftp
    works for uploads and downloads
  firefox
    425 failed to establish connection

HP(XP)
  IE (6.0.2800.1106xpsp2.030422-1633IC)
    works
  dos ftp
    works

dell(XP) through wireless router
  IE (6.0.2800.1106xpsp2.030422-1633IC)
    works
  dos ftp
    works

fujitsu(XP) through wireless router
  IE (6.0.2800.1106.xpclnt_qfe.021108-2107IC)
    works
  dos ftp
    works
  firefox
    425 failed to establish connection
0
Comment
Question by:bisonfur37
  • 2
3 Comments
 
LVL 40

Accepted Solution

by:
jlevie earned 250 total points
Comment Utility
FTP can operate in ACTIVE or PASSIVE mode. There's a good discussion of the two modes at http://slacksite.com/other/ftp.html, but in brief:

ACTIVE mode requires ports 21/TCP, and the ephemeral ports (1024-65535) to be open on the firewall the FTP server is behind. And on the client side port 20/TCP must be allowed as an inbound connection.

PASSIVE mode requires ports 21/TCP, and the ephemeral ports (1024-65535) to be open on the firewall the FTP server is behind. On the client side there's no requirement for an inbound connection from the FTP server.

Opening all of the ephemeral ports is something of a security risk and unless you have an outside IP that can be dedicated to the FTP server it can present a problem for a local network behind a NAT'ing firewall. I don't know about vsftpd, but ProFTP cna be configured to limit the client's choice of ephemeral ports to a subset of the possible range, leaving sufficient other ephemeral ports for use by NAT. Then you configure the firewall to allow inbound connections within that range, and possibly forward those ports to the FTP server.
0
 
LVL 2

Author Comment

by:bisonfur37
Comment Utility
Good.  Thank you for the explanation.  Now I will look for a way to restrict the range of ports.  I'll close this answer soon and you definitely take most, if not all of the points.  Thank you.
0
 
LVL 40

Expert Comment

by:jlevie
Comment Utility
I just looked at the vsftpd docs and the config directives pasv_max_port & pasv_min_port allow the restriction of the ephemeral port range, see 'man vsftpd.conf'
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now