The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ProFTPD Passive Configuration

Discussion in 'General Discussion' started by wh7702, Mar 13, 2005.

  1. wh7702

    wh7702 Member

    Joined:
    Mar 13, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Hello all.

    I seem to be having issues getting ProFTP to listen/communicate on passive ports.

    I've added

    PassivePorts 1025 1050

    to my proftpd.conf file

    and opened 1025 - 1050 on my filewall, however it dosnt seem to be working properly.

    I dont seem to find much on these forums or at the proftp wages either...

    Any suggestions/comments?

    Matt
     
  2. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    How many clients do you have ? You'd usually need more than 25 ports for passive usage, maybe twice the number of your clients would be a rule of thumb.
     
  3. wh7702

    wh7702 Member

    Joined:
    Mar 13, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I'm the only one connected...
     
  4. wh7702

    wh7702 Member

    Joined:
    Mar 13, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    Cant seem to put my finger on it.

    netstat confirms pureftp (switched to pureftpd btw) is running properly and utilizing the correct ports.

    I can connect to the server, browse directories, and even download data. However, when I try to place data on the server, I get a 550 error. Normally 550 is no permissions, however I do have permissions, and if I remove the firewall it does allow me to upload data fine.

    I have 21,1025-1050 open.

    Should work fine or am I missing someting?

    Matt
     
  5. DigitalN

    DigitalN Well-Known Member

    Joined:
    Sep 23, 2004
    Messages:
    420
    Likes Received:
    1
    Trophy Points:
    18
    Try opening port 20 in your firewall as well - that may help.
     
  6. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Are you using an SPI firewall such as APF? If so, there's no need at all to open up ephemeral ports for PASV FTP, as they're allowed due to the existing port 21 connection. IF that is the case, there's also no need to specify the port range in the ftp daemon configuration since any unused ephemeral port will do.

    If you're using a non-SPI firewall, do you actually login and then it freezes? If you cannot even login, then the problems are elsewhere since it doesn't enter PASV mode until you've authenticated (IIRC).
     
  7. wh7702

    wh7702 Member

    Joined:
    Mar 13, 2005
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    I figured it out.

    When I enabled "FTP Services" on the firewall, it turned on "FTP Proxy Services". No indication at all thats what it was. I blindly assumed "FTP Services" meant it was opening 20/21, then I added 1025-1050. Wasnt the case...

    All is well now.

    Thanks guys,

    Matt
     
  8. procam

    procam Well-Known Member

    Joined:
    Nov 24, 2003
    Messages:
    123
    Likes Received:
    0
    Trophy Points:
    16
    Why is it that what you say simply doesnt work in this case ??
    I have diddled with this on numerous servers off and on for MONTHS ~ my solution at best is to open 35000_36000 in apf and open them and uncomment the pureftp conf to passive connections on 35000 36000 and ftp works as it should - if I remove those ftp runs like its a cobalt raq unit from 1990 HORRIBLE connections dropped ftps and all my customers complain.....
    Chirpy yer sposed to be the cpanel god man ~ what gives why do I see in thread after thread you say we shouldnt open these but it wont work any other way ~
    Lettuce get to the beef of this at last please can you enlighten me please. :cool:
     
  9. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I have never had to open a hole in the APF firewall for passive FTP. IF you are having to, you may be blocking static ports that you shouldn't be (i.e. 20 and 21). Also, do make sure you're using the latest APF as recent ones have been very buggy and I have had problems on some servers with the very latest release too. In those cases I've used a different SPI firewall script also without a hole in it.
     
  10. Vatoloco

    Vatoloco Well-Known Member

    Joined:
    Jun 21, 2004
    Messages:
    100
    Likes Received:
    0
    Trophy Points:
    16
    What issues could arise from blocking 21? I changed the default port for ProFTP awhile ago and when I setup APF I went through /etc/apf/conf.apf and removed all instances of 21 and replaced it with my custom port. I also had to unblock 35000_36000.
     
Loading...

Share This Page