# [SOLVED] proftpd: can't get file listing from the server

## urcindalo

Hi and thanks for reading this.

Since a month ago or so my proftpd server is malfunctioning: I can't get the directory listing. This is what I've emerged:

```
[ebuild   R   ] net-ftp/proftpd-1.3.1_rc2-r1  USE="acl authfile ipv6 ldap mysql ncurses nls pam postgres ssl tcpd -clamav -hardened -ifsession -noauthunix -opensslcrypt -radius -rewrite (-selinux) -shaper -sitemisc -softquota -vroot -xinetd" 0 kB
```

If I connect to "localhost" from within my own server everything's OK:

```
myname@myserver ~ $ ftp localhost

Connected to localhost (127.0.0.1).

220 ProFTPD 1.3.1rc2 Server (ProFTPD Default Installation) [::ffff:127.0.0.1]

Name (localhost:myname): 

500 AUTH not understood

SSL not available

331 Password required for myname

Password:

230 User myname logged in

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> dir

200 PORT command successful

150 Opening ASCII mode data connection for file list

drwxr-xr-x   2 myname   users          80 May  2  2006 autosave

drwxr-xr-x  11 myname   users         888 May  8 10:48 Config

drwx------  11 myname   users        1120 May 23 08:35 Desktop

[.......]

226 Transfer complete

ftp> quit

221 Goodbye.
```

But if, however, I connect using my box's DNS name, I get an error whenever I want to retrieve the directory listing. It even happens from within the server itself:

```
myname@myserver ~ $ ftp myserver.mydomain.xx

[.....]

ftp> dir

200 PORT command successful

425 Unable to build data connection: Refused connection

ftp> quit

221 Goodbye.
```

Since everything was working OK in the past, and I've changed nothing, I wonder why this is happening. This is the relevant content my /etc/hosts file:

```
127.0.0.1       localhost

XXX.XXX.XXX.XXX  myserver.mydomain.xx   myserver

# IPV6 versions of localhost and co

::1 ip6-localhost ip6-loopback

fe00::0 ip6-localnet

ff00::0 ip6-mcastprefix

ff02::1 ip6-allnodes

ff02::2 ip6-allrouters

ff02::3 ip6-allhosts
```

and this is my /etc/proftpd/proftpd.conf:

```
# This is a basic ProFTPD configuration file (rename it to 

# 'proftpd.conf' for actual use. It establishes a single server

# and a single anonymous login. It assumes that you have a user/group

# "nobody" and "ftp" for normal operation and anonymous access.

ServerName                      "ProFTPD Default Installation"

ServerType                      standalone

DefaultServer           on

RequireValidShell       off

AuthPAM                         off

AuthPAMConfig           ftp

# Port 21 is the standard FTP port.

Port                            21

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

# To prevent DoS attacks, set the maximum number of child processes

# to 30. If you need to allow more than 30 concurrent connections

# at once, simply increase this value. Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit the maximum number of processes per service

# (such as xinetd).

MaxInstances            30

# Set the user and group under which the server will run.

User                            ftp

Group                           ftp

#User                           proftpd

#Group                          proftpd

# Normally, we want files to be overwriteable.

<Directory />

        AllowOverwrite          on

</Directory>

# A basic anonymous configuration, with no upload directories.

<Anonymous ~ftp>

        User                            ftp

        Group                           ftp

        # We want clients to be able to login with "anonymous" as well as "ftp".

        UserAlias                       anonymous ftp

        # Limit the maximum number of anonymous logins.

        MaxClients                      10

        # We want 'welcome.msg' displayed at login, and '.message' displayed

        # in each newly chdired directory.

        DisplayLogin                    welcome.msg

#       DisplayFirstChdir               .message

        # Limit WRITE everywhere in the anonymous chroot.

        <Limit WRITE>

                DenyAll

        </Limit>

</Anonymous>
```

Any clue is much appreciated. Currently I don't have remote ftp access to my server  :Sad: Last edited by urcindalo on Fri May 25, 2007 9:42 pm; edited 1 time in total

----------

## mudrii

check the firewall for closed ports 20

what type of the connection is configured pasim or active ftp.

if you using pasive ftp check the port range if it is open,

check authentification type too is it from local users from DB or from virtualusers. 

```
AUTH not understood
```

I did not use proftp for long time you could try vsftpd if you are not useng virtual ftp domains is small a fast.

----------

## urcindalo

Thanks for your answer. I unmerged proftpd and installed vsftpd, to no avail.

However, I've found out the problem lies on my iptables config, because if I stop iptables everything's back to normal. Since I haven't changed my iptables rules for a long time, I guess one of the kernel or other package upgrades in the recent past must be the culprit.

This is my current iptables policy (as I said, working in the past and not changed in a long while):

```
# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

*raw

:PREROUTING ACCEPT [46975:14020864]

:OUTPUT ACCEPT [39597:4677724]

COMMIT

# Completed on Wed Mar 22 22:31:27 2006

# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

*nat

:PREROUTING ACCEPT [1634:298393]

:POSTROUTING ACCEPT [593:47528]

:OUTPUT ACCEPT [593:47528]

COMMIT

# Completed on Wed Mar 22 22:31:27 2006

# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

*mangle

:PREROUTING ACCEPT [46975:14020864]

:INPUT ACCEPT [46658:13963678]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [39597:4677724]

:POSTROUTING ACCEPT [39812:4711878]

COMMIT

# Completed on Wed Mar 22 22:31:27 2006

# Generated by iptables-save v1.3.4 on Wed Mar 22 22:31:27 2006

#*filter

#:INPUT ACCEPT [46658:13963678]

#:FORWARD ACCEPT [0:0]

#:OUTPUT ACCEPT [39597:4677724]

#part of this comes from http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

*filter

:INPUT ACCEPT [5:5903]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [1192099:595387635]

# accept all from localhost

-A INPUT -s 127.0.0.1 -j ACCEPT

# para VMware red local

-A INPUT -s 192.168.123.128/25 -j ACCEPT

-A OUTPUT -s 192.168.123.128/25 -j ACCEPT

-A INPUT -s 192.168.67.128/25 -j ACCEPT

-A OUTPUT -s 192.168.67.128/25 -j ACCEPT

# accept all previously established connections

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# ssh

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# ftp / webserver related

-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

# Windows / Samba

-A INPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 137:139 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 426 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

-A OUTPUT -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

# VNC

-A INPUT -p tcp -m state --state NEW -m tcp --dport 1417:1420 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5900:5902 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 5900:5902 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5800:5802 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 5800:5802 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 5500:5502 -j ACCEPT

-A INPUT -p udp -m state --state NEW -m udp --dport 5500:5502 -j ACCEPT

# reject everything else

-A INPUT -j REJECT --reject-with icmp-port-unreachable

COMMIT

# Completed on Wed Mar 22 22:31:27 2006
```

Any clue?

Thanks in advance.

----------

## mudrii

for proftp if is using passive connection than you will need to enable a lot more ports exactly a port range for data transfer. 

check this info that may help you http://slacksite.com/other/ftp.html

and check RFC 959  for more details on ftp protocol

regards

----------

## urcindalo

 *mudrii wrote:*   

> for proftp if is using passive connection than you will need to enable a lot more ports exactly a port range for data transfer. 
> 
> check this info that may help you http://slacksite.com/other/ftp.html
> 
> and check RFC 959  for more details on ftp protocol
> ...

 

Thanks again. I've updated my iptables rules accordingly, but the problem persists. Since this is no longer a proftpd problem, but an iptables one, I will keep trying to solve this issue in this thread, since the problem described is exactly as mine.

----------

## urcindalo

Well, I think I solved the problem. Details in this thread.

----------

## mudrii

so problem was from the different nature  :Wink: 

----------

