pasv_min_port,pasv_max_port does not work if client uses PASV
Bug #130682 reported by
Carsten Menke
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vsftpd (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I'm using Ubuntu Dapper 6.0.6.1 AMD64 Server
vsftpd does not honor the config settings pasv_min_port and pasv_max_port if the client which connects issues PASV instead of EPSV.
This is a serious problem, I think as most browsers use PASV and not EPSV. If the ftp client connects using EPSV then the correct ports are sent out to the client, however if the client uses PASV even ports from the range below 1024 are used.
I have set this in my vsftpd.conf
pasv_enable=YES
pasv_min_port=45000
pasv_max_port=45150
pasv_addr_
pasv_address=
Changed in vsftpd: | |
status: | New → Invalid |
Changed in vsftpd (Ubuntu): | |
status: | Invalid → New |
To post a comment you must log in.
Bug could be closed,
I was faced by set of obscurities leading to this behavior. In fact it was the router. Maybe we can have this bug as a reference here so that other people who stumble about the same thing find it.
I'm using a Bintec R232bw Router, the Router can do statefull firewalling, but what is not mentioned in the docs is, that this router does not also do related connection tracking but also modifies the FTP Protocol that it rewrites the Address in the PASV response. However the route does not seem to suppport the EPSV mode, so when I used my command line client, which issued a EPSV command the packets came unmodified throug and the passive mode worked.
However the browser and Filezilla use the PASV command which in turn has been modified by the Router as well as for the port and address part. Additionally I had of course a Port Forwarding on the Router forwarding the defined passive port range to the Server.
This all together leaded to this result. The sad thing is, if I would have done this without any knowledge how FTP works I would be done in 1 minute, as the Bintec R232bw just needs a Portforwarding on Port 21 and one rule allowing port 21 in and you're all done, as the rest is done by the router's magic