# VSFTP running behind a firewall

## asterix404

Hello, I managed to get vsftp server running. My network is rather complex so I will just talk about the router that I am fairly sure is giving me porblems. I have 3 routers in series, 1 is connected to the inet and 3 is to the server. If I type in the FTP of anything on my network I get forwareded to the linux box and everything is great. It is only loging on from outside... what do I need to do to get this to work? I have tried passive move, active mode... everything I can think of... and it still gives me the same errors, connection refused. 

ftp> open Ip_address //this is my IP

ftp: connect: Connection refused

but

ftp> open tux

Connected to tux.workgroup.

220 Welcome to my server

Name (tux:me):

On router 1, I have forwared ports 64000-65000 20 and 21 to this box... and it still doesn't like it... here is my vsftpd.conf file:

background=YES

listen=YES

pasv_enable=YES

pasv_min_port=64000

pasv_max_port=65000

pasv_address=my_Ip

# Allow anonymous FTP?

#anonymous_enable=yes

# Uncomment this to allow local users to log in.

local_enable=YES

# Uncomment this to enable any form of FTP write command.

write_enable=YES

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

local_umask=770

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

#anon_upload_enable=YES

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

#anon_mkdir_write_enable=YES

# Activate directory messages - messages given to remote users when they

# go into a certain directory.

dirmessage_enable=YES

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

#chown_uploads=YES

#chown_username=whoever

# Activate logging of uploads/downloads.

xferlog_enable=YES

# If you want, you can have your log file in standard ftpd xferlog format

xferlog_std_format=YES

# You may override where the log file goes if you like. The default is shown

# below.

xferlog_file=/var/log/vsftpd.log

# You may change the default value for timing out an idle session.

idle_session_timeout=600

# You may change the default value for timing out a data connection.

data_connection_timeout=600

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

nopriv_user=ftpuser

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

#async_abor_enable=YES

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that turning on ascii_download_enable enables malicious remote parties

# to consume your I/O resources, by issuing the command "SIZE /big/file" in

# ASCII mode.

# These ASCII options are split into upload and download because you may wish

# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),

# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be

# on the client anyway..

#ascii_upload_enable=YES

#ascii_download_enable=YES

# You may fully customise the login banner string:

ftpd_banner=Welcome to my Server

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

deny_email_enable=YES

# (default follows)

banned_email_file=/etc/vsftpd/vsftpd.banned_emails

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

chroot_list_enable=YES

# (default follows)

chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

# You may activate the "-R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "-R" option, so there is a strong case for enabling it.

ls_recurse_enable=YES

Thanks a lot...

----------

## seank

```
netstat -pnat | grep :21
```

What IP is vsftp binding to?

Also, what's the log say?

----------

## pharaoh

I don't have my server behind a router anymore, but I did when I was testing it and it worked fine.  Only difference is that I used xinetd to run it instead of standalone.  You have some lines in your config that I didn't even need.  Hope this helps!

Here's my conf:

```
# Allow anonymous FTP?

anonymous_enable=NO

# Uncomment this to allow local users to log in.

local_enable=YES

# Uncomment this to enable any form of FTP write command.

write_enable=YES

# Default umask for local users is 077. You may wish to change this to 022,

# if your users expect that (022 is used by most other ftpd's)

#local_umask=022

# Uncomment this to allow the anonymous FTP user to upload files. This only

# has an effect if the above global write enable is activated. Also, you will

# obviously need to create a directory writable by the FTP user.

#anon_upload_enable=YES

# Uncomment this if you want the anonymous FTP user to be able to create

# new directories.

#anon_mkdir_write_enable=YES

# Activate directory messages - messages given to remote users when they

# go into a certain directory.

#dirmessage_enable=YES

# Make sure PORT transfer connections originate from port 20 (ftp-data).

connect_from_port_20=YES

# If you want, you can arrange for uploaded anonymous files to be owned by

# a different user. Note! Using "root" for uploaded files is not

# recommended!

#chown_uploads=NO

#chown_username=

# Activate logging of uploads/downloads.

xferlog_enable=YES

# If you want, you can have your log file in standard ftpd xferlog format

#xferlog_std_format=YES

# You may override where the log file goes if you like. The default is shown

# below.

xferlog_file=/var/log/vsftpd/vsftpd.log

# You may change the default value for timing out an idle session.

idle_session_timeout=300

# You may change the default value for timing out a data connection.

data_connection_timeout=120

# It is recommended that you define on your system a unique user which the

# ftp server can use as a totally isolated and unprivileged user.

nopriv_user=nobody

# Enable this and the server will recognise asynchronous ABOR requests. Not

# recommended for security (the code is non-trivial). Not enabling it,

# however, may confuse older FTP clients.

async_abor_enable=YES

# By default the server will pretend to allow ASCII mode but in fact ignore

# the request. Turn on the below options to have the server actually do ASCII

# mangling on files when in ASCII mode.

# Beware that turning on ascii_download_enable enables malicious remote parties

# to consume your I/O resources, by issuing the command "SIZE /big/file" in

# ASCII mode.

# These ASCII options are split into upload and download because you may wish

# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),

# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be

# on the client anyway..

#ascii_upload_enable=YES

#ascii_download_enable=YES

# You may fully customise the login banner string:

ftpd_banner=Welcome

# You may specify a file of disallowed anonymous e-mail addresses. Apparently

# useful for combatting certain DoS attacks.

#deny_email_enable=YES

# (default follows)

#banned_email_file=/etc/vsftpd/vsftpd.banned_emails

# You may specify an explicit list of local users to chroot() to their home

# directory. If chroot_local_user is YES, then this list becomes a list of

# users to NOT chroot().

chroot_list_enable=YES

chroot_local_user=NO

passwd_chroot_enable=NO

# (default follows)

chroot_list_file=/etc/vsftpd/vsftpd.chroot_list

# You may activate the "-R" option to the builtin ls. This is disabled by

# default to avoid remote users being able to cause excessive I/O on large

# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume

# the presence of the "-R" option, so there is a strong case for enabling it.

ls_recurse_enable=YES

# Rate for local authenticated users

#local_max_rate=0

# Rate for anonymous users

#anon_max_rate=0

max_clients=5

max_per_ip=1

pasv_min_port=40000

pasv_max_port=50000

# Try setting this to something like 8192

# for a much smoother bandwidth limiter.

#trans_chunk_size=8192
```

----------

## asterix404

# netstat -pnat | grep :21

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN 7778/vsftpd

I dont' know what this means but I am thinking that there are a lot of 0's is probibly a bad thing... how do I run this from xinted? Umm... the log doesn't say anything about anything reacent.

----------

## pharaoh

I think the zeros are ok, but what's your /etc/hosts file look like anyways?

If you have xinetd installed already, edit the /etc/xinetd.d/vsftp file...here's mine:

```
service ftp

{

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/vsftpd

        server_args     = /etc/vsftpd/vsftpd.conf

        log_on_success  += DURATION USERID

        log_on_failure  += USERID

        nice            = 10

        disable         = no

#       flags           = IPv6

}
```

The main things are "disable = no" or xinetd won't start it, and take out the line for "only from = " or edit it if you have an address you only want to be able to access ftp.  Then in your /etc/vsftpd/vsftpd.conf you need to change 2 lines to

```
background=NO

listen=NO 
```

or just comment them out.  Let's see if this helps...

----------

## seank

 *asterix404 wrote:*   

> # netstat -pnat | grep :21
> 
> tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN 7778/vsftpd
> 
> I dont' know what this means but I am thinking that there are a lot of 0's is probibly a bad thing... how do I run this from xinted? Umm... the log doesn't say anything about anything reacent.

 

Nah, that's good.

I like using xinetd myself because it doesn't run vsftpd unless needed.  Do what pharaoh said and also add 

```
only_from       = 0.0.0.0/0
```

 to the service.  I don't see how this would fix your access problem, but it's worth a shot.

----------

## seank

Also, did you check in /var/log/messages? Run

```
tail -f /var/log/messages
```

on the server and then have someone try to connect to it from the outside world.

----------

## asterix404

I don't have that document alas... I coppied the conf file that was posted and now i run that netstat call and it comes up blank, I think since it is recomentded that I run it from xinted that I will try that... any suggestions... oh yea and thanks a lot

----------

## asterix404

9013/xinetd

tcp        0      0 127.0.0.1:61039         0.0.0.0:*               LISTEN 

this is a good thing right? but now how do I get it to be the ip address of my comp and will that make it stop giving me the conection refused?

----------

## pharaoh

Not sure if this matters, but do you maybe need this

```
<*>   FTP protocol support
```

in your kernel?  If you don't know where it's located, it's in

```
Device Drivers  --->  Networking support  --->  Networking options  --->  Network packet filtering (replaces ipchains)  --->  IP: Netfilter Configuration  --->
```

for 2.6.9-r1 gentoo-dev-sources at least.

I don't think it matters that you're all zeros there...check me out:

```
cybertron linux # netstat -aunpt

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   

tcp        0      0 0.0.0.0:32768           0.0.0.0:*               LISTEN      6966/rpc.statd      

tcp        0      0 0.0.0.0:32769           0.0.0.0:*               LISTEN      -                   

tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      -                   

tcp        0      0 0.0.0.0:51234           0.0.0.0:*               LISTEN      7202/server_linux   

tcp        0      0 0.0.0.0:901             0.0.0.0:*               LISTEN      7306/xinetd         

tcp        0      0 0.0.0.0:805             0.0.0.0:*               LISTEN      6986/rpc.mountd     

tcp        0      0 0.0.0.0:14534           0.0.0.0:*               LISTEN      7202/server_linux   

tcp        0      0 0.0.0.0:3784            0.0.0.0:*               LISTEN      6496/ventrilo_srv   

tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      7144/smbd           

tcp        0      0 0.0.0.0:19150           0.0.0.0:*               LISTEN      6778/gkrellmd       

tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      6949/portmap        

tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6379/apache2        

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      7306/xinetd         

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6365/sshd           

tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      6430/cupsd          

tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      7144/smbd           

tcp        0      0 192.168.1.1:19150       192.168.1.2:32769       ESTABLISHED 6778/gkrellmd       

tcp        0      0 192.168.1.1:22          192.168.1.2:34658       ESTABLISHED 18339/sshd: pharaoh 

udp        0      0 0.0.0.0:32768           0.0.0.0:*                           6966/rpc.statd      

udp        0      0 0.0.0.0:2049            0.0.0.0:*                           -                   

udp        0      0 0.0.0.0:32770           0.0.0.0:*                           -                   

udp        0      0 192.168.1.1:137         0.0.0.0:*                           7147/nmbd           

udp        0      0 0.0.0.0:137             0.0.0.0:*                           7147/nmbd           

udp        0      0 192.168.1.1:138         0.0.0.0:*                           7147/nmbd           

udp        0      0 0.0.0.0:138             0.0.0.0:*                           7147/nmbd           

udp        0      0 0.0.0.0:782             0.0.0.0:*                           6966/rpc.statd      

udp        0      0 0.0.0.0:802             0.0.0.0:*                           6986/rpc.mountd     

udp        0      0 0.0.0.0:8767            0.0.0.0:*                           7202/server_linux   

udp        0      0 0.0.0.0:67              0.0.0.0:*                           6685/dhcpd          

udp        0      0 0.0.0.0:68              0.0.0.0:*                           6204/dhcpcd         

udp        0      0 0.0.0.0:111             0.0.0.0:*                           6949/portmap        

udp        0      0 0.0.0.0:631             0.0.0.0:*                           6430/cupsd          

udp        0      0 127.0.0.1:123           0.0.0.0:*
```

----------

## asterix404

if that isn't checked or anything... is that bad, and should this be a module?

----------

## seank

No, you don't need that in your kernel.

Binding to the ip 0.0.0.0:21 for local and 0.0.0.0:* for foreign is correct.  You should have xinetd listening on port 21, though.  Do you?

----------

## asterix404

I don't think so... it's linsening to port like 61800 or something of that nature... how do I get it to listen to port 21 as well as to apparently just listen?

7234/xinetd

tcp        0      0 192.168.2.150:32819     205.188.1.104:5190      ESTABLISHED

as a note 32819 is not being forwared nor is it in my vsftpd.conf

----------

## seank

So you've got a /etc/xinetd.d/vsftpd with this in it?

```
service ftp

{

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/vsftpd

        server_args     = /etc/vsftpd/vsftpd.conf

        only_from       = 0.0.0.0/0

        log_on_success  += DURATION USERID

        log_on_failure  += USERID

        nice            = 10

        disable         = no

#       flags           = IPv6

}
```

If you've got that, you should just restart xinetd (/etc/init.d/xinetd restart) and it should listening to port 21.

----------

## pharaoh

Come on restart it!! I wanna know if it's workin!!    :Very Happy: 

----------

## asterix404

alrighty then, here is my /etc/xinted.d/vsftpd

 *Quote:*   

> service ftp
> 
> {
> 
>         socket_type     = stream
> ...

 

my xinted.conf 

 *Quote:*   

> defaults
> 
> {
> 
>         only_from      = localhost
> ...

 

my hosts folder

127.0.0.1       localhost

the results from 

netstat -pnat | grep :21

there is only a charage return... so nothing

results from netstat -pnat

 *Quote:*   

> tcp        0      0 0.0.0.0:16001           0.0.0.0:*               LISTEN  7021/esd
> 
> tcp        0      0 0.0.0.0:901             0.0.0.0:*               LISTEN  7234/xinetd
> 
> tcp        0      0 192.168.2.150:32811     205.188.1.104:5190      ESTABLISHED 7587/gaim
> ...

 

This is very wierd I have never ever had these problems before... thanks a lot for your help...

----------

## pharaoh

in xinetd.conf you HAVE to change the "only from" to something else than localhost, or just comment it out, or do the 0.0.0.0/0 thing again (I think that's the same as just commenting it out though).  If you leave it alone than you can only connect from the server itself.  Change that and restart again   :Very Happy: 

Also, if you don't want SWAT running (the Samba config webpage tool) go into /etc/xinetd.d/swat and set "disable = yes".  It's currently running on port 901 it would seem.

Sean, I know you said you don't need that FTP module, but that one includes the ftp_conntrack_ip and I thought that was necessary for the way vsftpd does passive?

----------

## seank

comment out the ipv6 line.

----------

## asterix404

indeed it is... my samba server is strickly inhouse and is working very nicely... now to get this pecky other htingy working... the netstat for 21 still isn't changing but I did a an eth0 restart and got xinted to finialy start listening again

----------

## asterix404

holy crap it worked....root@tux xinetd.d 

#  netstat -pnat | grep :21

tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN

so now that is conected to the ftp thing on port 21... 20 is blank, and I still can not get into the system from hte outside. I do need to have port 20 open for the data transfer right? It is open through and routed through all of my rounters to the gentoo boxLast edited by asterix404 on Fri Dec 10, 2004 11:55 pm; edited 1 time in total

----------

## seank

pharaoh,

If you use the Linux firewall, you may need that module otherwise I am pretty sure you don't (what made you think this?  got a link to some docs with it in there?)

The only_from in the xinetd.conf can remain there for a default.  You can override it in each daemon config.

----------

## seank

 *asterix404 wrote:*   

> holy crap it worked....root@tux xinetd.d 
> 
> #  netstat -pnat | grep :21
> 
> tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
> ...

 

Cool, what fixed it?

----------

## asterix404

I do indeed have a linksys firewall and since I have to update my kernel to the r9 I will comile it in anyway... hmm... would this automaticlly be done in genkernel cuz my first one that I set up did this perfectly.Last edited by asterix404 on Sat Dec 11, 2004 12:00 am; edited 1 time in total

----------

## seank

I've never used genkernel, not sure what it even does (generates a kernel config?)

Why do you need to transfer files on port 20?

----------

## pharaoh

 *sean_micken wrote:*   

> pharaoh,
> 
> If you use the Linux firewall, you may need that module otherwise I am pretty sure you don't (what made you think this?  got a link to some docs with it in there?)
> 
> The only_from in the xinetd.conf can remain there for a default.  You can override it in each daemon config.

 

About a year ago I had Gentoo on my work laptop and I wanted to transfer a bunch of files over to a Windows PC.  The quickest way that came to mind was to emerge vsftpd on my laptop and grab it over the LAN.  I even had vsftpd working on my server at home, but for the life of me I just COULD NOT get it to be accessible from the other computer!!!  It was a bad night that I don't enjoy speaking about heheh.  You'd think all the ports would be open unless you're running a firewall, but that night just threw me for a loop.  I used all the same configs, xinetd, etc. and it didn't feel like working.  Who knows...

(I bet you thought my explanation would be shorter   :Wink:  )

----------

## asterix404

umm... well... in my vsftp.conf there is an option for forcing data transfers over port 20. Also isn't this the default ftp data transfer port?

----------

## pharaoh

Hey, did you also forward all those passive ports through the routers?

EDIT: Ok I notice in your very first post you said you did forward them...

----------

## asterix404

how do you do that, and actuilly this stuff is really helpful with people going through similar porblems... cuz there is almost no documention describng non working vsftpd stuff, but rally how do you configure those ports to be passive?

----------

## pharaoh

You have them set in your vsftpd.conf already so it seems ok.  Just to check, you're forwarding the TCP ports not the UDP ones with the router right?

----------

## seank

 *asterix404 wrote:*   

> umm... well... in my vsftp.conf there is an option for forcing data transfers over port 20. Also isn't this the default ftp data transfer port?

 No

----------

## asterix404

yes I am only forwarding the TCP cuz that the thing can call for... what is UDP... it has been a while since i had to use that information... as for the port listenings... is there a reason to not use port 20?

Okay so here we go, i have prots 61000-62000 open on all of my routers. I have 19-22 open as well... I get a socket error... what is that what does this mean?

----------

## pharaoh

I'm curious if you really do need that ftp_conntrack_ip module just for this port 20 passive business.  I don't like genkernel because it takes away your control, but try doing an lsmod and see what's loaded up.  Sean is right though, if you're not using a firewall you shouldn't need it...however I needed it even with the firewall open on the correct ports.  Who knows!

----------

## asterix404

okay so the lsmod has

 *Quote:*   

> Module                  Size  Used by
> 
> uhci_hcd               27664  0
> 
> ehci_hcd               24324  0
> ...

 

but thats the thing... I am behind a firewall... with all ports open... I also normally run genkernel and then change all of the settings cuz it can do stuff like give me pretty fonts. I thought I put FTP support in my kernel... hmm back to the drawing bord.

----------

## pharaoh

All those modules are for hardware.  I don't know a thing about genkernel, and I was just asking to try that ftp_conntrack_ip modules because I have no idea what the problem is anymore   :Evil or Very Mad: 

----------

## asterix404

Ahh... well there is good new yet, sorry about that... actuilly the module was not installed before but now I have this:

/lib/modules/2.6.9-gentoo-r9/kernel/net/ipv4/netfilter/ip_conntrack_irc.ko

/lib/modules/2.6.9-gentoo-r9/kernel/net/ipv4/netfilter/ip_conntrack_tftp.ko

which I think I can use autoload to boot up... and prey this works... is there a way to see what packets are doing when they hit my routers? Like when I do ftp open "my ip" can I see what the packets are doing and trace them?

I know the porblem now but I have no idea how to fix it and hopefully someone out there does. I can access the ftp anywhere on my lan, the porblem is the outside... the other problem is I have a wireless router conected to the ouside world. It is a linksys, this must be the problem. Unde aplications and gaming I have this

ftp 61000 to 62000 TCP 192.168.10.100 where 10.100 is another router

ftp 19 to 22 TCP 192.168.10.100

I have nothing under port triggering i have nothing under DMZ host

I have UPnP enabled 

I think I now know that is is a problem with the router and I wil have to fiddle around with my network tomm... thank you so much though, and if this does get fixed I will be sure to keep you posted... if you care enough... however you seem to

----------

## pharaoh

Just to make sure it's one of the routers being the issue, can you just not use the routers for a short time to test it?  I realize there's a security risk involved, but for how much time you've been putting into this it may just be easiest to change the net settings on the ftp server and run it directly to your internet hookup to find out if it really is one of the routers being the problem.  Either way, do let us know what happens   :Smile: 

----------

## asterix404

It was in fact the router... AS A HEUGE NOTE for anyone folowing this... if you loose power and it comes back up and it seems like nothing had happend... it did. If your routers still say they are doing what they are doing... they really are not. No port forwarding was occuring and I had about half services. It didn't like the reset and i had to do it about 3 times... but it finially hooked... thanks a lot pharaoh and sean_micken it works great. What else can I run from xinted now that I know this is a very powerful tool... samba? net.eth0?

----------

## pharaoh

Glad to hear it's working   :Very Happy:   As for xinetd, I only use it to run swat and vsftpd.  But if you poke around I'm sure you'll find some other services to do with it.  Good luck bud!

----------

