# [SOLVED] pure-ftpd issues [needed FTP connection tracking]

## erik258

hey all, I just started my ftp server and remembered the problem I was having.  I can connect just fine but I can't get/send any data.  I can change directories, but that's all.  Log says all is peachy, I'm logged in.  But if i 'ls' or 'put [local-file] ' the client just hangs, lftp saying 'making data connection...' forever.  

Does anybody have this problem or know a solution?  Or recommend a different ftp server?

Thanks much and regards!

----------

## malern

Sounds like a firewall issue. FTP works using two separate connections, a control connection for sending commands, and a data connection for sending/receiving files or file listings. Sounds like your control connection is successfully established, but it can't make the data connection.

Normally it's the ftp server that creates the data connection to the client, unless you specify PASV mode, in which case the client initiates the connection to the server. Also, there's no fixed port for the data connection, which makes creating firewall rules for it a bit tricky.

The easiest way to get it working would be to setup pure-ftp to only use a small range of ports for the data connection, using the '-p <first port>:<last port>' option. Then make sure your server firewall will allow those ports. And then always use passive mode for transfers.

However, if you're setting up a server for personal use then I'd strongly recommend using sftp (with openssh) instead. It uses a single port and is far more secure.

----------

## cach0rr0

IIRC passive ftp requires you effectively make swiss cheese of your firewall, whereas active (native) FTP only requires the one port. 

If this is active...do you have any OUTPUT rules in iptables?

To confirm whether or not this is a firewall, stop iptables via the init script, and test again. 

I normally see this when a client attempts passive FTP, but the firewall doesn't allow the shit tonnes of ports necessary for passive.

----------

## malern

Active still requires data ports to be open, but on the client side rather than the server side. Which means you'll have to configure the firewall on each client instead. You could also enable the ip_conntrack_ftp module in the kernel, which monitors the control connection and allows the corresponding data connections through the firewall.

Here's a good webpage that shows the difference between active and passive

http://slacksite.com/other/ftp.html

----------

## erik258

 *Quote:*   

> You could also enable the ip_conntrack_ftp module in the kernel, which monitors the control connection and allows the corresponding data connections through the firewall. 

 

Duh.  I should have realized that.  and I did realize that when I built the kernel; I only need to do a 

```
modprobe nf_conntrack_ftp
```

to get it working.  

Thanks.

----------

