vsftpd
Parker Morse
morse at sinauer.com
Tue Apr 13 13:53:36 UTC 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday, Apr 12, 2004, at 20:12 US/Eastern, Deleo Paulo Ribeiro
Junior wrote:
> I am trying to use VSFTPD. Everything seens to be right (I read the
> manual) but when I try "ls" the system hangs up after these messages:
>
> ftp>ls
> 200 PORT command successful. Consider using PASV.
> 150 Here comes the directory listing.
>
> I am usign RedHat 9 and my server as 12 Ips actives.
When I get these messages connecting to an FTP server, it's usually a
port issue (that is, an issue with the network connection, not the
daemon itself.)
First, if "passive mode" is on in your FTP client, turn it off. If it's
off, turn it on. (If you're using `ftp` at a shell prompt, try `ftp -p`
instead.)
Second, look at which ports are open on your server. Here's the output
from "iptables -L" on my ftp server (dedicated box, so the rules are
pretty simple):
[root at cuckoo /root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 10.0.0.0/8 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP icmp -f anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp
dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- my.local-system.com anywhere
ACCEPT tcp -- anywhere anywhere tcp
dpt:ident
DROP tcp -- anywhere anywhere tcp
dpts:0:1024
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root at cuckoo /root]#
The first three lines drop invalid networks, which are probably spoofed
packets. The fourth drops pings. The next two lines are for FTP (ports
20 and 21); then SMTP (so it can squawk for help if it needs to.)
There's a line to accept connections from my local network (so I can
SSH in to administer the box) then port 113 (ident), which may also be
useful for FTP. Last line dumps any other packets for privileged ports.
Notice, too, that the policy is "accept" and connections to ports over
1024 are accepted. You probably need this for passive-mode FTP;
whenever I change it, FTP stops working. ;-)
pjm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAe/DknRVGoRROKxIRAt8oAJ9XQMyod3x2vnb1gG3BotZmqptBjgCfTvcC
fpcIW9yaU855zr7EQyLVj3Q=
=EVA7
-----END PGP SIGNATURE-----
More information about the redhat-list
mailing list