# No passive FTP to my server

## eje211

I have an FTP server and I can only connect through an active connexion. I don't think it is an ftp configuration file problem because my config files are pretty standard andthe active connexion works with both proftpd and vsftpd and the passive connexion works with neither. I don't use iptables; ports 20 and 21 are properly set up in /etc/services.

I recently upgraded proftpd by unmerging proftpd, emerging the new ftp-base and re-merging proftpd. I think the problem comes from the new ftp-base.

What could the problem be?

Thanks

----------

## titix

In your proftpd.conf, try adding this:

PassivePorts 50000 50100

And open all ports between 50000 and 50100 if you've got a NAT  :Smile: 

----------

## eje211

Thanks for the reply, titix!

I tried the PassivePorts instruction, but I didn't do any good. The server does not use NAT.

Also, after someone makes a passive connexion, the server has to be killed with a -9 option and then restarted. (It does not die without the -9 option.) Until it is killed and then restarted that way, it does not respond. (At least not with the same user.)

----------

## eje211

Update:

The moment when everything freezes is when the PASV command is sent.

What prevents the server from shutting down gracefully is when I try to make a connexion after a previous one has frozen the server.

If I use 

```
lftp localhost
```

 from the server (as opposed to a remote client) everything works. I have NO idea what that means.

Here's my config, just in case

```
ServerName          "..."

ServerType          standalone

DefaultServer       on

RequireValidShell   off

AuthPAM             on

AuthPAMConfig       ftp

# Port 21 is the standard FTP port.

Port                            21

MasqueradeAddress xxxx.xxx

PassivePorts 60000 60100

# ScoreboardFile                        /var/run/proftpd/proftpd.score

# Umask 022 is a good standard umask to prevent new dirs and files

# from being group and world writable.

Umask                           022

# To prevent DoS attacks, set the maximum number of child processes

# to 30.  If you need to allow more than 30 concurrent connections

# at once, simply increase this value.  Note that this ONLY works

# in standalone mode, in inetd mode you should use an inetd server

# that allows you to limit maximum number of processes per service

# (such as xinetd).

MaxInstances                    30

# Set the user and group under which the server will run.

User                            ftp

Group                           ftp

# Normally, we want files to be overwriteable.

<Directory />

  AllowOverwrite                on

</Directory>

DefaultRoot ~ ftpuser

<Limit LOGIN>

DenyGroup !ftpuser

</Limit>

# disable root login and require a valid shell (from /etc/shells)

<Global>

RootLogin off

RequireValidShell off

</Global>

# increase

UseReverseDNS off

IdentLookups off

# Logging formats

LogFormat default "%h %l %u %t \"%r\" %s %b"

LogFormat auth "%v [%P] %h %t \"%r\" %s"

LogFormat write "%h %l %u %t \"%r\" %s %b"

# activate logging

# every login

ExtendedLog /var/log/ftp_auth.log AUTH auth

# file/dir access

ExtendedLog /var/log/ftp_access.log WRITE,READ write

# forr paranoid (big logfiles!)

#ExtendedLog /var/log/ftp_paranoid.log ALL default
```

This is my pam ftp file:

```
# Provided by ftpbase (dont remove this line!)

# Standard pam.d file for ftp service packages.

# $Header: /var/cvsroot/gentoo-x86/net-ftp/ftpbase/files/ftp-pamd-include,v 1.1 2005/06/28 14:52:26 uberlord Exp

 $

auth     required  pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

auth     include   system-auth

# If this is enabled, anonymous logins will fail because the 'ftp' user does

# not have a "valid" shell, as listed in /etc/shells.

#

# If you enable this, it is recommended that you do *not* give the 'ftp'

# user a real shell. Instead, give the 'ftp' user /bin/false for a shell and

# add /bin/false to /etc/shells.

# auth     required  pam_shells.so

account  include   system-auth

session  include   system-auth
```

and this is the one from before ftp-base was re-merged

```
#%PAM-1.0

auth       required     /lib/security/pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed

auth       required     /lib/security/pam_pwdb.so shadow nullok

# If this is enabled, anonymous logins will fail because the 'ftp' user does

# not have a "valid" shell, as listed in /etc/shells.

#

# If you enable this, it is recommended that you do *not* give the 'ftp'

# user a real shell. Instead, give the 'ftp' user /bin/false for a shell and

# add /bin/false to /etc/shells.

#auth       required    /lib/security/pam_shells.so

account    required     /lib/security/pam_pwdb.so

session    required     /lib/security/pam_pwdb.so
```

I'm no pam expert and I'm not sure of what they mean.

Can anyone help?

----------

## gouranga

Try this to solve the PASV freeze problem:

```
AllowForeignAddress on
```

This worked for me.

----------

## eje211

Gouranga,

After reading your post, I tried adding the option, but it didn't change anything. I think the problem is not with proftpd but somewhere else in the Gentoo config.

But still, thanks for the advice.

----------

## gouranga

A few days ago, I had exact the same problem.

The ftp session was hanging when the PASV command was sent.

This was because I had not configured the ports.

In the LAN everything was working fine,

but when I tried to connect from the internet to the ftp in the lan, the PASV session hung.

My passive port range is 

```
PassivePorts 49152 49155
```

Myabe you can try this range.

If it's a pam problem , You can check /var/log/everything/current

----------

## eje211

As you can see from my config files above, the passive ports are set. However, it seems that they're not taken into account when connecting. In gftp the transcript is: 

```
SYST

215 UNIX Type: L8

TYPE I

200 Type set to I

PWD

257 "/" is current directory.

Loading directory listing / from server (LC_TIME=fr_FR)

PASV

227 Entering Passive Mode (138,37,63,100,134,130).
```

And then hangs. Shouldn't the numbers after 227 match the passive ports range?

----------

## gouranga

same problem over here right now.

I changed the DefaultRoot directive to ~

```
PassivePorts 49152 49155
```

PASV is hangs

```
 Entering Passive Mode (192,168,1,113,192,0)
```

I asked myself the same question, what is 192,0 doing there. 

After a few time I see this entry.

```
localhost (84.194.47.254[84.194.47.254]) - unable to find open port in PassivePorts range 49152-49155: defaulting to INPORT_ANY
```

Pretty strange, when the DefaultRoot directive is /dir1 Pasv is working fine.

----------

## eje211

I changed the DefaultRoot to /dir, but it still hangs.

----------

