[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: vsftpd



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday, Apr 12, 2004, at 20:12 US/Eastern, Deleo Paulo Ribeiro Junior wrote:
I am trying to use VSFTPD. Everything seens to be right (I read the manual) but when I try "ls" the system hangs up after these messages:

ftp>ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.

I am usign RedHat 9 and my server as 12 Ips actives.

When I get these messages connecting to an FTP server, it's usually a port issue (that is, an issue with the network connection, not the daemon itself.)


First, if "passive mode" is on in your FTP client, turn it off. If it's off, turn it on. (If you're using `ftp` at a shell prompt, try `ftp -p` instead.)

Second, look at which ports are open on your server. Here's the output from "iptables -L" on my ftp server (dedicated box, so the rules are pretty simple):

[root cuckoo /root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- 192.168.0.0/16 anywhere
DROP all -- 10.0.0.0/8 anywhere
DROP all -- 172.16.0.0/12 anywhere
DROP icmp -f anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT tcp -- anywhere anywhere tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- my.local-system.com anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ident
DROP tcp -- anywhere anywhere tcp dpts:0:1024


Chain FORWARD (policy DROP)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root cuckoo /root]#

The first three lines drop invalid networks, which are probably spoofed packets. The fourth drops pings. The next two lines are for FTP (ports 20 and 21); then SMTP (so it can squawk for help if it needs to.) There's a line to accept connections from my local network (so I can SSH in to administer the box) then port 113 (ident), which may also be useful for FTP. Last line dumps any other packets for privileged ports.

Notice, too, that the policy is "accept" and connections to ports over 1024 are accepted. You probably need this for passive-mode FTP; whenever I change it, FTP stops working. ;-)

pjm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQFAe/DknRVGoRROKxIRAt8oAJ9XQMyod3x2vnb1gG3BotZmqptBjgCfTvcC
fpcIW9yaU855zr7EQyLVj3Q=
=EVA7
-----END PGP SIGNATURE-----



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]