DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Ports and Packages

FreeBSD Ports and Packages Installation and upgrading of ports and packages on FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 25th September 2009
Sunsawe Sunsawe is offline
Port Guard
 
Join Date: May 2008
Posts: 39
Default How to configure VSFTPD?

Hi all!

I am trying to configure VSFTPD to run on a box which is behing a router.
I can access it from inside the local network but not from outside.
This is my config file:

Quote:
############# Users settings ################
anonymous_enable=NO
chroot_local_user=YES
local_umask=022

############# Server settings ################
background=YES
dirmessage_enable=YES
guest_enable=NO
listen=YES
write_enable=YES
listen_port=21
max_clients=5
max_per_ip=2
pasv_max_port=160
pasv_min_port=150
guest_username=vsftpd_user
tcp_wrappers=YES
nopriv_user=vsftpd_user
local_enable=YES
pasv_address=XXXXXX (external address)
The ports are transfered from the router to the box. I can access it but the connection fails. It still replies with the internal network address sor the PORT command fails.

What am I doing wrong?

Thank you
Reply With Quote
  #2   (View Single Post)  
Old 25th September 2009
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
 
Join Date: Apr 2008
Location: Netherlands
Posts: 2,243
Default

Are you using a firewall? If so, did you configure your firewall for FTP?
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 25th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Sunsawe: to clarify Carpetsmoker's question:

We can assume your router does Network Address Translation (NAT), so that all of the devices behind it share one single Internet address, and the systems on the local network are using "private" Internet addresses in one of these three ranges, per RFC 1918:
  • 10.0.0.0 - 10.255.255.255 (10/8 CIDR)
  • 172.16.0.0 - 172.31.255.255 (172.16/12 CIDR)
  • 192.168.0.0 - 192.168.255.255 (192.168/16 CIDR)
These addresses are not used on the Internet itself, they are used in private networks.

Since all of the devices on your private LAN share the same Internet address, your router must keep track of the state of all sessions that go through it. This is automatic, for traffic that is initiated inside your LAN, headed out to the Internet. However, for -services- you operate, such as FTP, there is no pre-existing state to keep track of -- incoming traffic to the router from the Internet has to go somewhere, and your router must be told where on your LAN to forward it.

See your router owner's manual.

---

So a NAT router acts something like a firewall, in that if you have not set up a service on it, any unanticipated incoming traffic will be rejected, since the router doesn't know what to do with it.
Reply With Quote
  #4   (View Single Post)  
Old 25th September 2009
Sunsawe Sunsawe is offline
Port Guard
 
Join Date: May 2008
Posts: 39
Default

Hi,

There is actually no firewall activated on the box (which runs a Freebsd 7.2).

Regarding the router, I assume it is ok as I can access other services (http, ssh, database...). I can open the connexion to the ftp, but the server replies to the client with a local address (192.168....) thus it fails.
The error occurs when the client sends the PORT command.
Reply With Quote
  #5   (View Single Post)  
Old 25th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Describe the make/model of your router, and the FTP port forwarding you have provisioned.

Last edited by jggimi; 25th September 2009 at 04:04 PM.
Reply With Quote
  #6   (View Single Post)  
Old 25th September 2009
Sunsawe Sunsawe is offline
Port Guard
 
Join Date: May 2008
Posts: 39
Default

Thank you for your reply.
Please don't take it the wrong way but I think this has nothing to do with the router settings. This is what appears in the client dialog window:

Quote:
Trying XXX.XXX.XXX.XXX:21 (external address)
Connected on XXX.XXX.XXX.XXX:21
220 (vsFTPd 2.2.0)
USER user

331 Please specify the password.
PASS xxxx
230 Login successful.
SYST

215 UNIX Type: L8
TYPE I

200 Switching to Binary mode.
PWD

257 "/"
Charging directory / from the server (LC_TIME=fr_FR.UTF-8)
PORT 192,168,0,3,169,61

500 Illegal PORT command.
Before changing anything to the router (which may not be a problem) I would like to solve this which is an obvious problem. The server should return the external address and not the local one.
From an other client, I get this:

Quote:
Reply : 200 Switching to Binary mode.
Command : PASV
Reply : 500 OOPS: priv_sock_get_cmd
Command : PORT 192,168,0,3,215,5
Error : Connexion closed by the server

Last edited by Sunsawe; 26th September 2009 at 12:27 AM.
Reply With Quote
  #7   (View Single Post)  
Old 26th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

OK. -Now- I understand the problem.

Your choice of FTP server eliminates passive FTP as a possibility, since it resides behind a NAT router. Google "vsftpd nat" and read the first link.
Reply With Quote
  #8   (View Single Post)  
Old 26th September 2009
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Default

FTP is an ornary beast, especially when you link it up with NAT and firewalls. I'd recommend doing some basic research so you know what FTP is trying to do.

Depending on what features your router has, it may not even be possible. You really are going to need a ftp proxy of some sort.
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #9   (View Single Post)  
Old 26th September 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

There's a good discussion of active/passive FTP and NAT in OpenBSD's PF Users Guide -- If Sunsawe replaces the turnkey SOHO router with FreeBSD or OpenBSD, PF and a version of ftp-proxy are available.

http://www.openbsd.org/faq/pf/ftp.html
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
VSFTPD Server Issues!! disappearedng FreeBSD General 5 24th October 2008 08:47 AM
VSFTPD SERVER disappearedng FreeBSD General 1 21st October 2008 04:12 AM
VSFTPd: pid file kostromin FreeBSD Ports and Packages 0 4th July 2008 08:35 AM
vsftpd stucks in close() sunnyone FreeBSD Ports and Packages 0 10th June 2008 10:49 AM
[VSFTPD] Can't write in directory Sunsawe General software and network 7 1st June 2008 11:29 PM


All times are GMT. The time now is 11:39 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick