[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3849
  • Last Modified:

FTP over explicit TLS/SSL, failed directory listing


I'm trying to use FTP with explicit mode to my NAS (qnap ts509). From within my LAN I'm able to connect and everything is working. When I connect from ouside the LAN the connection times out because it can't receive the directory listing (see log from filezilla). On my router I've forwarded port 21 and 20, and the default port range (55536 - 56559). Am I forgetting a port or something?
Normal unencrypted FTP works fine from outside the LAN...

Status:	Connection established, waiting for welcome message...
Response:	220 NASFTPD Turbo station 2.x 1.3.1rc2 Server (ProFTPD) []
Command:	AUTH TLS
Response:	234 AUTH TLS successful
Status:	Initializing TLS...
Status:	Verifying certificate...
Command:	USER bla
Status:	TLS/SSL connection established.
Response:	331 Password required for bla
Command:	PASS ********
Response:	230 User bla logged in
Command:	OPTS UTF8 ON
Response:	200 UTF8 set to on
Command:	PBSZ 0
Response:	200 PBSZ 0 successful
Command:	PROT P
Response:	200 Protection set to Private
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is the current directory
Command:	TYPE I
Response:	200 Type set to I
Command:	PASV
Response:	227 Entering Passive Mode (192,168,1,100,219,128).
Status:	Server sent passive reply with unroutable address. Using server address instead.
Command:	LIST
Error:	Connection timed out
Error:	Failed to retrieve directory listing

Open in new window

3 Solutions
Your using passive ftp (this is what the PASV command means) and when using passive ftp port 20 is not used.

When using passive ftp the server tells the client what port it (the server) will be listening on in the response to the PASV command.  By default most ftp servers will use ALL high ports, that is 1024-65535.

If you control the ftp server, I would suggest that you limit what port range it uses, a lot sites start at port 10000 and then go to "X" where "X" is the number of concurrent sessions you expect.

If you don't control the server, then you may want to contact whomever does and ask them a) if the support passive ftp and b) if they restrict it to a specific range of ports.

Then on your firewall you need to make sure that you allow outbound connections with that port range as the destination.

If they don't support passive ftp, then you need to issue whatever command your ftp client has that turns passive ftp off.
DennieAuthor Commented:
I've configured my ftp server to use these passive ports: 55536 - 56559. In my router I've forwarded these ports to my server (just as I've done with port 21). So this doesn't seems to be the problem...
Dave HoweCommented:

You missed a minor detail of FTPS as opposed to FTP. normally when you use passive mode, your router rewrites your control channel to give the external (NATted) IP instead of your internal (LAN) IP.

Because FTPS is encrypted, the router cannot do that, so your FTP server needs to do it itself. In the Filezilla server (for example) the passive mode settings page allows you to specify an external IP and/or use an external lookup service.

If you tell me which ftp server you are using, I may be able to help more.
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

DennieAuthor Commented:
My NAS uses ProFTPD server. I've tried to use the option clear command channel and clear data channel and EPSV in my FTP client, but this isn't helping
DennieAuthor Commented:
My NAS has an FTP option "Respond with external IP address for passive FTP connection request". When I set my external IP here it still isn't working.
Opp, I missed the FTPS part too.  

O.K., using CCC and EPSV should help, but that is only if the FTP server supports both CCC (and is configured to allow CCC)  and EPSV

You need to figure out which side is blocking the request and hard code rules in that firewall to allow tcp traffic with source port >1023 and destination ports in the range of 55536 - 56559.

If possible you may want to test using non-TLS/SSL, once you get that working, the move on to TLS/SSL.
DennieAuthor Commented:
As mentioned everything works correctly without TLS/SSL...
Sorry, I missed the part about non-TLS/SSL working.

O.K., that means that one of the firewalls is not properly configured to allow tcp traffic with source port >1023 and destination ports in the range of 55536 - 56559.

I also now remember that your ftp server is a NAS device, which most likely means you can't run Wireshark on it.  Can you check and see if it (the NAS device) has shell access?  If so, assuming it is Linux based, you may want to see if you can run tcpdump.  You can do a packet capture with tcpdump and then transfer the file to another computer and use wireshark to look at the trace.

However, thinking about  it a little more, if you have shell access to the NAS you might be able to just issue netstat commands to see if you can see an inbound connection attempt to any of the ports in the 55536 - 56559 range.
Do you see any TLS connection attempts in the ProFTP server logs? If so it might help to provide those as well. It may be a firewall issue, but it would be helpful to see this as well.

I would also suggest restarting the ProFTPd service from the command line, and check the console or the logs for any errors in the config files that the service reports. I'm primarily thinking that it would be good to verify that ProFTPd isn't having any problems with the TLS/SSL configuration settings.
DennieAuthor Commented:
I think my router is to limited to support ftp with tls/ssl

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now