# proftpd: no access for passive mode behind NAT

## corrosif

Hi,

I am experiencing some difficulties with a rather classic problem: accessing an ftp which is behind a NAT.

Everything is working fine in active mode, but passive mode doesn't work when accessing from outside the local network.

My server is proftpd v1.3.1.

The router is a Netgear Wireless Cable Voice Gateway CBVG834G.

ServerType is standalone.

Port is set to default value 21.

PassivePorts is set to range: 55536 -> 56559.

MasqueradeAdress is set to the IP given by my internet provider.

For the moment, there is no firewall on the server nor on the router.

The NAT is configured this way:

Ports 20 -> 21 (both TCP and UDP) are redirected to the local IP of the server (192.168.0.4).

Ports 55536 -> 56559 (both TCP and UDP) are redirected to the local IP of the server (192.168.0.4).

When accessing the FTP server from the outside, I get the following from the FTP client:

```
(...)

Command :   PASV

Error :   Timeout

Trace :   CFtpControlSocket::ResetOperation(2114)

Trace :   CControlSocket::ResetOperation(2114)

Trace :   CFtpControlSocket::ResetOperation(2114)

Trace :   CControlSocket::ResetOperation(2114)

Erreur :   Can't list directory
```

On the server, the log shows the following:

```
Entering Passive Mode (xx,xx,xx,xx,220,103)

dispatching POST_CMD command 'PASV' to mod_sql

dispatching LOG_CMD command 'PASV' to mod_sql

dispatching LOG_CMD command 'PASV' to mod_log

ROOT PRIVS at mod_auth_pam.c: 163

ROOT PRIVS: ID switching disabled

PRIVS_RELINQUISH: ID switching disabled

FTP session closed.
```

The IP: xx,xx,xx,xx is matching the one given by my internet provider.

The port 220*256 + 103 = 56423 is inside my redirected port interval which is 55536 -> 56559.

I think active mode is working because the PORT command sent by the client incorporates informations about the IP address and the port.

On the contrary, in passive mode, the client is sending a PASV command without arguments, and it is the job of the server to send these informations back to the client.

Do you have any clue why the server doesn't send the PASV response to the client in passive mode?

Thanks!

----------

## richard.scott

 *corrosif wrote:*   

> Do you have any clue why the server doesn't send the PASV response to the client in passive mode?

 

It's due to your connection being NAT'd.

See this page:

http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-NAT.html

Quote:

 *Quote:*   

> Configuring ProFTPD behind NAT
> 
> First configure your installed proftpd so that it works correctly from inside the NAT. There are example configuration files included with the source. Then add the MasqueradeAddress directive to your proftpd.conf file to define the public name or IP address of the NAT. For example:
> 
>   MasqueradeAddress	ftp.mydomain.com  # using a DNS name
> ...

 

Hope this helps,

Rich

----------

## corrosif

Thanks for your response.

I didn't mention that on my first post, but my proftpd configuration already includes address masquerading (with the IP given to me by my internet provider).

And the PassivePorts directive is set with 55536 -> 56559.

So, from what you are quoting, everything seems to have been done correctly on my side...

Unfortunately, my server seems to be unable to give back the PASV response to the distant FTP client... and I wonder why.

----------

## richard.scott

Have you configured your NAT router to forward all ports in the PassivePorts range to the FTP server?

----------

## corrosif

Yes, as you can read in my first post:

 *Quote:*   

> The NAT is configured this way:
> 
> Ports 20 -> 21 (both TCP and UDP) are redirected to the local IP of the server (192.168.0.4).
> 
> Ports 55536 -> 56559 (both TCP and UDP) are redirected to the local IP of the server (192.168.0.4). 

 

----------

## richard.scott

What's this part for in your output?

```
dispatching POST_CMD command 'PASV' to mod_sql

dispatching LOG_CMD command 'PASV' to mod_sql

dispatching LOG_CMD command 'PASV' to mod_log

ROOT PRIVS at mod_auth_pam.c: 163

ROOT PRIVS: ID switching disabled

PRIVS_RELINQUISH: ID switching disabled 
```

It looks like PAM is rejecting the login?

----------

