vsftpd

Parker Morse morse at sinauer.com
Tue Apr 13 13:53:36 UTC 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday, Apr 12, 2004, at 20:12 US/Eastern, Deleo Paulo Ribeiro 
Junior wrote:
> I am trying to use VSFTPD. Everything seens to be right (I read the 
> manual) but when I try "ls" the system hangs up after these messages:
>
> ftp>ls
> 200 PORT command successful. Consider using PASV.
> 150 Here comes the directory listing.
>
> I am usign RedHat 9 and my server as 12 Ips actives.

When I get these messages connecting to an FTP server, it's usually a 
port issue (that is, an issue with the network connection, not the 
daemon itself.)

First, if "passive mode" is on in your FTP client, turn it off. If it's 
off, turn it on. (If you're using `ftp` at a shell prompt, try `ftp -p` 
instead.)

Second, look at which ports are open on your server. Here's the output 
from "iptables -L" on my ftp server (dedicated box, so the rules are 
pretty simple):

[root at cuckoo /root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  192.168.0.0/16       anywhere
DROP       all  --  10.0.0.0/8           anywhere
DROP       all  --  172.16.0.0/12        anywhere
DROP       icmp -f  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp 
dpt:ftp-data
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  my.local-system.com  anywhere
ACCEPT     tcp  --  anywhere             anywhere           tcp 
dpt:ident
DROP       tcp  --  anywhere             anywhere           tcp 
dpts:0:1024

Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root at cuckoo /root]#

The first three lines drop invalid networks, which are probably spoofed 
packets. The fourth drops pings. The next two lines are for FTP (ports 
20 and 21); then SMTP (so it can squawk for help if it needs to.) 
There's a line to accept connections from my local network (so I can 
SSH in to administer the box) then port 113 (ident), which may also be 
useful for FTP. Last line dumps any other packets for privileged ports.

Notice, too, that the policy is "accept" and connections to ports over 
1024 are accepted. You probably need this for passive-mode FTP; 
whenever I change it, FTP stops working. ;-)

pjm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAe/DknRVGoRROKxIRAt8oAJ9XQMyod3x2vnb1gG3BotZmqptBjgCfTvcC
fpcIW9yaU855zr7EQyLVj3Q=
=EVA7
-----END PGP SIGNATURE-----

More information about the redhat-list mailing list