Link to home
Avatar of James Cook
James CookFlag for United Kingdom of Great Britain and Northern Ireland

asked on

How can I get my FTP server to work in passive mode only

How can I get my ftp server to work in passive mode only?

It seems like it starts in active then switches to passive (see code below)

This is my vsftpd config file:
ftp_username=username
anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
idle_session_timeout=600
data_connection_timeout=120
ftpd_banner=Welcome to the FTP service.
listen=YES
pam_service_name=vsftpd
userlist_enable=YES
tcp_wrappers=YES
pasv_enable=YES

This is the log i get when connecting from FileZilla:
Status:	Connecting to xxx.xxx.xxx.xxx:21...
Status:	Connection established, waiting for welcome message...
Response:	220 Welcome to the FTP service.
Command:	USER username
Response:	331 Please specify the password.
Command:	PASS **********
Response:	230 Login successful.
Command:	SYST
Response:	215 UNIX Type: L8
Command:	FEAT
Response:	211-Features:
Response:	 EPRT
Response:	 EPSV
Response:	 MDTM
Response:	 PASV
Response:	 REST STREAM
Response:	 SIZE
Response:	 TVFS
Response:	211 End
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/home/folder"
Command:	TYPE I
Response:	200 Switching to Binary mode.
Command:	PASV
Response:	227 Entering Passive Mode (xxx,xxx,xxx,xxx,62,247)

Open in new window

Avatar of MushyPea
MushyPea

Not sure I understand the question.

The server will generally support both modes, and default to non-passive.

The client will have an option to use passive mode.

Clients will expect the default to be non-passive, and probably break if this isn't the case; in fact, they have to use the 'PASV' command in order to obtain the connection details for the data connection.

In short, I don't think you can force passive mode with the server; you can, of course, firewall the server so that non-passive mode simply doesn't work, but that's rather unfriendly to users.

Curious to know why you'd want to force passive mode, too.
Avatar of James Cook

ASKER

The reason is because we have a bonded ADSL setup. (3 lines bonded together to give us much quicker upload and download speeds)
The bonded setup we have doesn't support Active mode and therefore often drops the connection. (to our external Web server)

I can force the client to only use passive but it's not working. I spoke to our service provider and they told me that it's because we're connecting in active then switching to passive, rather than just connecting passive only, if that makes sense.
They told me I would have to change the config on the server as they have tested another ftp server and that works fine.

This is where the connection drops:

Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 Welcome to the FTP service.
Command: USER username
Response: 331 Please specify the password.
Command: PASS **********
Response: 230 Login successful.
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/home/folder"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,73,151)
Command: LIST
This is where it's timing out!
That's perfectly normal behaviour.

This...

"they told me that it's because we're connecting in active then switching to passive, rather than just connecting passive only"

... is plain crazy.

The client MUST issue the PASV command to get the details of where to connect for the data (the bit in brackets).

Are the 3 lines with the same provider, and bonded at both ends?  Or are you balancing traffic across 3 separate lines, each of which has a different IP?  With the latter, it might be that your outgoing data connection is using a different line/IP to your control connection (the initial one).
Yes the 3 lines are with the same provider bonded at both ends.
Their test ftp server they gave me works fine, this is the message i get when i connect to that (using passive):

Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 ProFTPD 1.3.0 Server (Debian) [::ffff:77.44.117.217]
Command: USER anonymous
Response: 331 Anonymous login ok, send your complete email address as your password.
Command: PASS **************
Response: 230-FTP server. Unauthorised access is prohibited
Response: 230-
Response: 230 Anonymous access granted, restrictions apply.
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: MDTM
Response: REST STREAM
Response: SIZE
Response: 211 End
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,236,203).
Command: LIST
Response: 150 Opening ASCII mode data connection for file list
Response: 226 Transfer complete.
Status: Calculating timezone offset of server...
Command: MDTM welcome.msg
Response: 213 20080522130639
Status: Timezone offsets: Server: 0 seconds. Local: 3600 seconds. Difference: 3600 seconds.
Status: Directory listing successful
 I know our webserver works from other internet connections.
That's odd; your client issued a 'SYST' and 'FEAT' command, which it didn't do on the other connection.

Is that the same client, configured exactly the same way?

Have you tried a different FTP client, too?
I figured out why it issued those commands with the other connection:
I'm using FileZilla and if you connect for the first time (after opening the program) it issues the commands however if you retry the connection it doesn't.
So here is the full output from the one with the problem:

Status: Connecting to xxx.xxx.xxx.xxx:21...
Status: Connection established, waiting for welcome message...
Response: 220 Welcome to the FTP service.
Command: USER username
Response: 331 Please specify the password.
Command: PASS **********
Response: 230 Login successful.
Command: SYST
Response: 215 UNIX Type: L8
Command: FEAT
Response: 211-Features:
Response: EPRT
Response: EPSV
Response: MDTM
Response: PASV
Response: REST STREAM
Response: SIZE
Response: TVFS
Response: 211 End
Status: Connected
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/home/folder"
Command: TYPE I
Response: 200 Switching to Binary mode.
Command: PASV
Response: 227 Entering Passive Mode (xxx,xxx,xxx,xxx,206,132)
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing
I do also use dreamweaver and it won't connect with that either!
Is there a firewall on the FTP server machine?

If you're using iptables, check you're allowing "RELATED" packets.  Might also need the ip_conntrack_ftp module loaded.
ASKER CERTIFIED SOLUTION
Avatar of James Cook
James Cook
Flag of United Kingdom of Great Britain and Northern Ireland image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial