# Protftpd - problem with MLSD

## najkon

Hi,

It seems so easy to install ftp server by choosing Proftpd with basic configuration.

Unfortunately, all the calls are trying to get around MLSD and after PASV and all connection ends with a timeout error

Can someone help him bite to get it started as it should?  :Sad: 

my config

```

### /etc/proftpd/proftpd.conf

ServerName              "ProFTPD  Server"

ServerType              standalone

DefaultServer           on

MultilineRFC2228        on

RequireValidShell       off

AuthPAM                 off

AuthPAMConfig           ftp

UseIPv6                 on

UseReverseDNS           off

PassivePorts            57000 58000

# Listen on the standard FTP port 21.

Port 21

# New directories and files should not be group or world writable.

Umask 022

# To prevent DoS attacks set the maximum number of child processes

# to 30. If you need to allow more than 30 concurrent connections

# at once simply increase this value.

MaxInstances 30

# The server will run under ftp/ftp.

User ftp

Group ftp

# Every FTP sessions is "jailed" into the user's home directory.

DefaultRoot ~ !ftp-special

# Generally files are overwritable.

AllowOverwrite on

# Disallow the use of the SITE CHMOD command.

<Limit SITE_CHMOD>

  DenyAll

</Limit>

TransferLog /var/log/proftpd/xferlog

SystemLog   /var/log/proftpd/proftpd.log

<IfModule mod_delay.c>

DelayEngine on

</IfModule>

<IfModule mod_ctrls.c>

ControlsEngine        off

ControlsMaxClients    2

ControlsLog           /var/log/proftpd/controls.log

ControlsInterval      5

ControlsSocket        /var/run/proftpd/proftpd.sock

</IfModule>

<IfModule mod_ctrls_admin.c>

AdminControlsEngine off

</IfModule>

<IfModule mod_facts.c>

FactsAdvertise off

</IfModule>

```

version: ProFTPD Version 1.3.5e

loaded modules ProFTPD

```

/usr/sbin/proftpd -l

Compiled-in modules:

  mod_core.c

  mod_xfer.c

  mod_rlimit.c

  mod_auth_unix.c

  mod_auth.c

  mod_ls.c

  mod_log.c

  mod_site.c

  mod_delay.c

  mod_facts.c

  mod_dso.c

  mod_auth_pam.c

  mod_facl.c

  mod_case.c

  mod_sql.c

  mod_sql_passwd.c

  mod_sql_mysql.c

  mod_sftp.c

  mod_sftp_pam.c

  mod_sftp_sql.c

  mod_tls.c

  mod_tls_shmcache.c

  mod_wrap2.c

  mod_wrap2_file.c

  mod_wrap2_sql.c

  mod_cap.c

  mod_lang.c

```

emerge proftpd -pv

```

[ebuild   R    ] net-ftp/proftpd-1.3.5e::gentoo  USE="acl caps case dso ipv6 mysql ncurses nls pam pcre sftp ssl tcpd -authfile -ban -clamav -copy -ctrls -deflate -diskuse -doc -dynmasq -exec -ident -ifsession -ifversion -kerberos -ldap (-libressl) -log_forensic -memcache -msg -postgres -qos -radius -ratio -readme -rewrite (-selinux) -shaper -sitemisc -snmp -softquota -sqlite {-test} -trace -unique_id -vroot -xinetd" LINGUAS="-bg_BG -en_US -fr_FR -it_IT -ja_JP -ko_KR -ru_RU -zh_CN -zh_TW" 0 KiB

```

iptables

```

-A INPUT -p tcp -m multiport --dports 57000:58000 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

```

The same thing happens even if I remove all iptables rules

[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]

----------

## Quincy

Sounds to me as if there is a problem with a firewall, but you said it's the same with all iptables rules removed?

What are the default policies, are there other rules in effect (give us a "iptables -L")?

What is the network relationship between client and server (e.g. both in LAN or server on internet, client behind router etc.)?

----------

## Hu

If you need to show iptables rules for public review, always use iptables-save, never iptables -L.

----------

## najkon

 *Quincy wrote:*   

> Sounds to me as if there is a problem with a firewall, but you said it's the same with all iptables rules removed?
> 
> What are the default policies, are there other rules in effect (give us a "iptables -L")?
> 
> What is the network relationship between client and server (e.g. both in LAN or server on internet, client behind router etc.)?

 

Default policies are ACCEPT for all CHAINS when i remove all rules of iptables.

but if I have attached the all rule, default policies are DENY for INPUT, and FORWARD - ACCEPT for OUTPUT

relationship between client and server is a server on internet.

There is a log from trying connect to the FTP server

```

----------

Connect to: (13.07.2017 11:21:51)

hostname=domain.com

username=najkon

startdir=

domain.com=xx.xx.xx.xxx

220 ProFTPD 1.3.5e Server (ProFTPD  Server) [::ffff:xx.xx.xx.xxx]

USER najkon

331 Password required for najkon

PASS ***********

230 User najkon logged in

SYST

215 UNIX Type: L8

FEAT

211-Features:

 MDTM

 SIZE

 LANG pl-PL.utf8*

 REST STREAM

 UTF8

 EPRT

 EPSV

211 End

HELP SITE

214-HELP

214-CHGRP

214 CHMOD

OPTS UTF8 ON

200 UTF8 set to on

Connect ok!

PWD

257 "/home/najkon" is the current directory

Download catalog

TYPE A

200 Type set to A

PORT 192,168,1,100,225,72

200 PORT command successful

MLSD - PORT failed, 

try PASV mode!

PASV - PORT failed

QUIT

```

----------

## Quincy

Currently I'm curios that your session log reports:

```
PORT 192,168,1,100,225,72

200 PORT command successful 
```

This is a LAN IP (192.168.1.100) and not an official IP for an internet connection.

Which client software are you using?

Can you connect and change dirs/download something on e.g. ftp://ftp5.gwdg.de/pub/ (a public German FTP)?

@Hu: Why "iptables-save" instead of "iptables -L"?

----------

## szatox

iptables-save provides some informations that are omitted by iptables -L

iptables -L is still useful in some other scenarios though, like iptables -nvL

----------

## Hu

szatox is correct that iptables-save shows information not shown by iptables -L, which is one reason it is preferable.  However, I disagree that iptables -L is ever more useful for forum posts.  If hit counters are needed, use iptables-save -c.  When posting to the forum, we have no ability to inspect your rules other than what is shown.  For us to model how a packet will traverse the rules, we need to know all the relevant rules.  Showing all rules, as done by iptables-save, serves that purpose most readily.  Other advantages:iptables-save defaults to showing all tables.  iptables shows only one table, and by default shows table filter.iptables-save defaults to numeric-only resolution; iptables without -n tries to pretty-print some data, which can make it harder for us to understand, particularly when hostnames are substituted.As a machine-readable format, iptables-save must print everything necessary for a later iptables-restore to reconstruct the rules.  By default, iptables omits some information to conserve screen space.  Sometimes this information is relevant to the problem at hand.

----------

## najkon

 *Quincy wrote:*   

> Currently I'm curios that your session log reports:
> 
> ```
> PORT 192,168,1,100,225,72
> 
> ...

 

Yep, IP 192.168.1.100 - it's my Lan IP of computer what i trying connect to the FTP server.

I dont know why it's showed there..  :Smile: 

I used a Total Commander 64 bit client but the same problem is if i use ftp client console on Linux

```

ftp> open domain.com

Connected to domain.com.

220 ProFTPD 1.3.5e Server (ProFTPD  Server) [::ffff:xx.xxx.xxx.xx]

Name (domain.com:najkon):

331 Password required for najkon

Password:

230 User najkon logged in

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful

425 Unable to build data connection: Exceeded time waiting on connection

ftp> dir

450 LIST: Exceeded time waiting on connection

```

about trying connect and download/change dir on that public FTP on Germany - with no problem, always work

```

----------

Connect to: (16.07.2017 19:25:53)

hostname=ftp5.gwdg.de

username=anonymous

startdir=

ftp5.gwdg.de=134.76.12.6

220-Welcome to ftp.gwdg.de

220-

220-Dear user of ftp.gwdg.de, we will have a scheduled downtime for FTP

220-at July, 22nd from 7am approx. till 4pm

220-

220 

USER anonymous

331 Please specify the password.

PASS ***********

230 Login successful.

SYST

215 UNIX Type: L8

FEAT

211-Features:

 EPRT

 EPSV

 MDTM

 PASV

 REST STREAM

 SIZE

 TVFS

 UTF8

211 End

HELP SITE

214-The following commands are recognized.

 ABOR ACCT ALLO APPE CDUP CWD  DELE EPRT EPSV FEAT HELP LIST MDTM MKD

 MODE NLST NOOP OPTS PASS PASV PORT PWD  QUIT REIN REST RETR RMD  RNFR

 RNTO SITE SIZE SMNT STAT STOR STOU STRU SYST TYPE USER XCUP XCWD XMKD

 XPWD XRMD

214 Help OK.

OPTS UTF8 ON

200 Always in UTF8 mode.

Connect ok!

CWD /pub/

250 Directory successfully changed.

PWD

257 "/pub"

Download directory

TYPE A

200 Switching to ASCII mode.

PORT 192,168,1,100,229,210

500 Illegal PORT command.

PASV

227 Entering Passive Mode (134,76,12,6,120,161).

LIST

150 Here comes the directory listing.

Downloading

Waiting on server...

226 Directory send OK.

```

----------

## Quincy

Thanks for the iptables clarification!

Back on real topic:

Connection to gwdg.de just succeeds because it denies the PORT command and then the client continues with trying PASV:

```
PORT 192,168,1,100,229,210

500 Illegal PORT command.

PASV

227 Entering Passive Mode (134,76,12,6,120,161). 
```

This is exactly what I wanted to see. So the problem is that the client issues a port command with a private IP that the server doesn't deny (deeper explanation see e.g. http://www.raidenftpd.com/kb/kb000000010.html - first good hit when searching).

So either you can force your client not to use the wrong PORT command (see https://www.ghisler.com/efaqftp.htm#NoDownload) or you tell the server not to accept the PORT command at all:

```

  <Limit EPRT PORT>

    DenyAll

  </Limit>

```

----------

## najkon

And that was my problem! I choise setup server too not to accept the PORT command at all because never know (as RaidenFTPD TEAM In every line write) what will bring in the future  :Wink: 

I admit that I did not know about these "problems" of the PORT command

Thanks very much @Quincy Beer for you !  :Smile: 

----------

