ProFTPD Passive Configuration

[wh7702]

Hello all.

I seem to be having issues getting ProFTP to listen/communicate on passive ports.

I've added

PassivePorts 1025 1050

to my proftpd.conf file

and opened 1025 - 1050 on my filewall, however it dosnt seem to be working properly.

I dont seem to find much on these forums or at the proftp wages either...

Any suggestions/comments?

Matt

 

[DigitalN]

How many clients do you have ? You'd usually need more than 25 ports for passive usage, maybe twice the number of your clients would be a rule of thumb.

 

[wh7702]

I'm the only one connected...

 

[wh7702]

Cant seem to put my finger on it.

netstat confirms pureftp (switched to pureftpd btw) is running properly and utilizing the correct ports.

I can connect to the server, browse directories, and even download data. However, when I try to place data on the server, I get a 550 error. Normally 550 is no permissions, however I do have permissions, and if I remove the firewall it does allow me to upload data fine.

I have 21,1025-1050 open.

Should work fine or am I missing someting?

Matt

 

[DigitalN]

Try opening port 20 in your firewall as well - that may help.

 

[chirpy]

Are you using an SPI firewall such as APF? If so, there's no need at all to open up ephemeral ports for PASV FTP, as they're allowed due to the existing port 21 connection. IF that is the case, there's also no need to specify the port range in the ftp daemon configuration since any unused ephemeral port will do.

If you're using a non-SPI firewall, do you actually login and then it freezes? If you cannot even login, then the problems are elsewhere since it doesn't enter PASV mode until you've authenticated (IIRC).

 

[wh7702]

I figured it out.

When I enabled "FTP Services" on the firewall, it turned on "FTP Proxy Services". No indication at all thats what it was. I blindly assumed "FTP Services" meant it was opening 20/21, then I added 1025-1050. Wasnt the case...

All is well now.

Thanks guys,

Matt

 

[procam]

Are you using an SPI firewall such as APF? If so, there's no need at all to open up ephemeral ports for PASV FTP, as they're allowed due to the existing port 21 connection. IF that is the case, there's also no need to specify the port range in the ftp daemon configuration since any unused ephemeral port will do.

If you're using a non-SPI firewall, do you actually login and then it freezes? If you cannot even login, then the problems are elsewhere since it doesn't enter PASV mode until you've authenticated (IIRC).

Why is it that what you say simply doesnt work in this case ??
I have diddled with this on numerous servers off and on for MONTHS ~ my solution at best is to open 35000_36000 in apf and open them and uncomment the pureftp conf to passive connections on 35000 36000 and ftp works as it should - if I remove those ftp runs like its a cobalt raq unit from 1990 HORRIBLE connections dropped ftps and all my customers complain.....
Chirpy yer sposed to be the cpanel god man ~ what gives why do I see in thread after thread you say we shouldnt open these but it wont work any other way ~
Lettuce get to the beef of this at last please can you enlighten me please.

 

[chirpy]

I have never had to open a hole in the APF firewall for passive FTP. IF you are having to, you may be blocking static ports that you shouldn't be (i.e. 20 and 21). Also, do make sure you're using the latest APF as recent ones have been very buggy and I have had problems on some servers with the very latest release too. In those cases I've used a different SPI firewall script also without a hole in it.

 

[Vatoloco]

I have never had to open a hole in the APF firewall for passive FTP. IF you are having to, you may be blocking static ports that you shouldn't be (i.e. 20 and 21). Also, do make sure you're using the latest APF as recent ones have been very buggy and I have had problems on some servers with the very latest release too. In those cases I've used a different SPI firewall script also without a hole in it.

What issues could arise from blocking 21? I changed the default port for ProFTP awhile ago and when I setup APF I went through /etc/apf/conf.apf and removed all instances of 21 and replaced it with my custom port. I also had to unblock 35000_36000.