Pure-ftpd passive mode

mendoza_lt · #1 (**permalink**) 04-Nov-2009, 04:41

Hello,

I have some problem, with setting up Pure-ftp...

I have a mashine running opensuse 11.1 and pureftp service. I have
configured everything, and everything works in active mode, but have
problems with passive mode.
I do not realy know is this is really pure-ftpd problem... so decided to post here

So problem is that pure-ftpd wants to open ports, that is not in the range
that is set in pure-ftpd.conf, i have set it to 30000 50000, opened that
range in linux firewall, forwarded these ports in router, but when i
trying to connect from remote computer - pure-ftpd sometimes is trying to
connect in ports that is not in range...

F.e.:

Code:

Response:	220-Welcome to Pure-FTPd.
Response:	220-You are user number 2 of 10 allowed.
Response:	220-This is a private system - No anonymous login
Response:	220 You will be disconnected after 15 minutes of inactivity.
Command:	USER aa
Response:	331 User aa OK. Password required
Command:	PASS *******
Response:	230-User aa has group access to:  112      33       16
Response:	230 OK. Current directory is /
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is your current location
Command:	TYPE I
Response:	200 TYPE is now 8-bit binary
Command:	PASV
Response:	227 Entering Passive Mode (88,222,125,227,206,220)
Command:	MLSD
Error:	Connection timed out
Error:	Failed to retrieve directory listing

206*256+220 = 52956 port... thats not in my range... (30000 - 50000)

aftes few retries, i can connect, because pure-ftpd choses port, that is open/forwarded

Code:

Response:	220-Welcome to Pure-FTPd.
Response:	220-You are user number 1 of 10 allowed.
Response:	220-This is a private system - No anonymous login
Response:	220 You will be disconnected after 15 minutes of inactivity.
Command:	USER aa
Response:	331 User aa OK. Password required
Command:	PASS *******
Response:	230-User aa has group access to:  112      33       16
Response:	230 OK. Current directory is /
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/" is your current location
Command:	TYPE I
Response:	200 TYPE is now 8-bit binary
Command:	PASV
Response:	227 Entering Passive Mode (88,222,125,227,174,49)
Command:	MLSD
Response:	150 Accepted data connection
Response:	226-ASCII
Response:	226-Options: -a -l
Response:	226 5 matches total
Status:	Directory listing successful

174*256+49 = 37681 ok, thats in range (30000 - 50000)

What is wrong, and what can i do to make it work normally?

buckesfeld · #2 (**permalink**) 04-Nov-2009, 06:56

* mendoza lt wrote, On 11/04/2009 11:46 AM:
> Response: 227 Entering Passive Mode (88,222,125,227,206,220)

That'd be indeed a port out of range. Please doublecheck the pureftpd.conf and make sure you edited the one the server uses. Also make sure you restart the server after editing the file.

Uwe

ken_yap · #3 (**permalink**) 04-Nov-2009, 07:19

If you are using a Linux firewall you should load the ftp connection tracking module which will peek inside the command stream and dynamically open the required port for the client to access the server. If your firewall is NATting, then you also need the ftp NAT tracking module. I think the name of the conntrack module off the top of my head is nf_conntrack_ftp.

mendoza_lt · #4 (**permalink**) 04-Nov-2009, 09:29

Quote:

Originally Posted by buckesfeld

* mendoza lt wrote, On 11/04/2009 11:46 AM:
> Response: 227 Entering Passive Mode (88,222,125,227,206,220)

That'd be indeed a port out of range. Please doublecheck the pureftpd.conf and make sure you edited the one the server uses. Also make sure you restart the server after editing the file.

Uwe

All is done, after manual edition of pureftpd.conf, i have opened yast ftp server config, and there was ports, that i have entered, so it must be same file that daemon uses...
restart - of course, i have restarted server, even computer itself physically

not only by "rcpureftpd restart" ...

mendoza_lt · #5 (**permalink**) 04-Nov-2009, 09:35

Quote:

Originally Posted by ken_yap

If you are using a Linux firewall you should load the ftp connection tracking module which will peek inside the command stream and dynamically open the required port for the client to access the server. If your firewall is NATting, then you also need the ftp NAT tracking module. I think the name of the conntrack module off the top of my head is nf_conntrack_ftp.

I am using linux firewall, but NAT'ing is done by router (Linksys)...

buckesfeld · #6 (**permalink**) 04-Nov-2009, 13:08

* mendoza lt wrote, On 11/04/2009 04:36 PM:
> All is done, after manual edition of pureftpd.conf, i have opened yast
> ftp server config, and there was ports, that i have entered, so it must
> be same file that daemon uses...

Note that you can also start pureftpd with an option for the passive port range to use (google, I don't know the syntax out of my head) in order to bypass the pureftpd.conf. See if that makes a difference.

Uwe

mendoza_lt · #7 (**permalink**) 05-Nov-2009, 10:27

After lots of googleing i think i've found solution...

https://bugzilla.novell.com/show_bug.cgi?id=465954

Quote:

editing /usr/sbin/pure-config-args to move
PassivePortRange => "-p",
from 'numpairb_switch_for' into 'numparic_switch_for' fixes the problem.

Only one thing - i have done it backwards! I mean from 'numpairc_switch_for' into 'numparib_switch_for'

Anyway it works mow...

buckesfeld · #8 (**permalink**) 05-Nov-2009, 11:33

* mendoza,

cool, thanks for the feedback!

Uwe

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode