pasv_min_port,pasv_max_port does not work if client uses PASV

Bug could be closed,

I was faced by set of obscurities leading to this behavior. In fact it was the router. Maybe we can have this bug as a reference here so that other people who stumble about the same thing find it.

I'm using a Bintec R232bw Router, the Router can do statefull firewalling, but what is not mentioned in the docs is, that this router does not also do related connection tracking but also modifies the FTP Protocol that it rewrites the Address in the PASV response. However the route does not seem to suppport the EPSV mode, so when I used my command line client, which issued a EPSV command the packets came unmodified throug and the passive mode worked.

However the browser and Filezilla use the PASV command which in turn has been modified by the Router as well as for the port and address part. Additionally I had of course a Port Forwarding on the Router forwarding the defined passive port range to the Server.

This all together leaded to this result. The sad thing is, if I would have done this without any knowledge how FTP works I would be done in 1 minute, as the Bintec R232bw just needs a Portforwarding on Port 21 and one rule allowing port 21 in and you're all done, as the rest is done by the router's magic

I'm using Ubuntu 9.10 with vsftpd 2.2.0-1ubuntu1
The explanation Carsten Menke does not apply to my situation.

With:

pasv_min_port=65000
pasv_max_port=65535

I connected with lftp (version 3.6.1-1). Looking in vsftpd.log (I put "x" where IP numbers go) I see:

Wed Jan 13 16:48:38 2010 [pid 32649] [tester] FTP response: Client "x.x.x.x", "227 Entering Passive Mode (x,x,x,x,117,178)."
Wed Jan 13 16:48:38 2010 [pid 32649] [tester] FTP command: Client "x.x.x.x", "LIST"

As noted in http://www.rhinosoft.com/respcode.asp?resp=227&Prod=s
this means the vsftpd *server asked* to be connected to on port 30130; hence Carsten Menke's explanation about a router does not apply to me.

Taking a quick glance at my vsftpd.log, vsftpd seems to have a hard coded pasv_min_port of 30000. As a work around I'll assume pasv_min_port=29952 (256 * 117) for now.

If your vsftpd.log contains a value lower than 117 in "227 Entering Passive Mode (x,x,x,x,117,y)" please leave a comment, it may help in debugging this.

Same issue here with a TP-Link WR340GD router.

It too requires only setting up the 21 port forward, but beware, do not alter the pasv_address ! it has to come from the local ip address, otherwise the router magic gets confused and it doesn't work.

Cheers.

Same problem on Ubuntu 10.04 server with vsftpd. I'm using a Cisco 1811 router with ports 20 and 21 statically NATed and a NAT pool for the PASV ports. This works fine in standard FTP mode, but when I switch to PASV mode in FTPES, it uses a port outside the range specified by the min/max port settings. The router is NOT doing any firewall functions or interfering with packets in any way. I am a network engineer by trade, so I am confident of this.

I have observed this same behavior connecting to the server from a host inside the router on the same subnet, and of course, the connection works fine because the port is accessible from the inside, but the port requested is still outside the range specified in vsftpd.conf when in FTPS mode.

I will post here if I find any more info.

Setting status to NEW

Whoops. Found a flaw in my .conf file. I had copied the pasv_min_port to a different spot while troubleshooting another issue, and had two values for min, with no value for max. Works fine now in both modes. Setting status back the way I found it.

Hi,

I found a corner case, where it might not work even if you set them:

pasv_min_port=10000
pasv_max_port=9000
(Notice that min an max was mixed up)

In this case the server does start (not yielding a config error) but the configuration is ignored. This is clearly a bug. I could accept both
a) work: "I know what you mean" or
b) config error: "please be more precise"

Cheers,

Tamas