How to configure VSFTPD?

[Sunsawe]

Hi all!

I am trying to configure VSFTPD to run on a box which is behing a router.
I can access it from inside the local network but not from outside.
This is my config file:

Quote:

############# Users settings ################
anonymous_enable=NO
chroot_local_user=YES
local_umask=022

############# Server settings ################
background=YES
dirmessage_enable=YES
guest_enable=NO
listen=YES
write_enable=YES
listen_port=21
max_clients=5
max_per_ip=2
pasv_max_port=160
pasv_min_port=150
guest_username=vsftpd_user
tcp_wrappers=YES
nopriv_user=vsftpd_user
local_enable=YES
pasv_address=XXXXXX (external address)

The ports are transfered from the router to the box. I can access it but the connection fails. It still replies with the internal network address sor the PORT command fails.

What am I doing wrong?

Thank you

[Carpetsmoker]

Are you using a firewall? If so, did you configure your firewall for FTP?

[jggimi]

Sunsawe: to clarify Carpetsmoker's question:

We can assume your router does Network Address Translation (NAT), so that all of the devices behind it share one single Internet address, and the systems on the local network are using "private" Internet addresses in one of these three ranges, per RFC 1918:

• 10.0.0.0 - 10.255.255.255 (10/8 CIDR)
• 172.16.0.0 - 172.31.255.255 (172.16/12 CIDR)
• 192.168.0.0 - 192.168.255.255 (192.168/16 CIDR)

These addresses are not used on the Internet itself, they are used in private networks.

Since all of the devices on your private LAN share the same Internet address, your router must keep track of the state of all sessions that go through it. This is automatic, for traffic that is initiated inside your LAN, headed out to the Internet. However, for -services- you operate, such as FTP, there is no pre-existing state to keep track of -- incoming traffic to the router from the Internet has to go somewhere, and your router must be told where on your LAN to forward it.

See your router owner's manual.

---

So a NAT router acts something like a firewall, in that if you have not set up a service on it, any unanticipated incoming traffic will be rejected, since the router doesn't know what to do with it.

[Sunsawe]

Hi,

There is actually no firewall activated on the box (which runs a Freebsd 7.2).

Regarding the router, I assume it is ok as I can access other services (http, ssh, database...). I can open the connexion to the ftp, but the server replies to the client with a local address (192.168....) thus it fails.
The error occurs when the client sends the PORT command.

[jggimi]

Describe the make/model of your router, and the FTP port forwarding you have provisioned.

[Sunsawe]

Thank you for your reply.
Please don't take it the wrong way but I think this has nothing to do with the router settings. This is what appears in the client dialog window:

Quote:

Trying XXX.XXX.XXX.XXX:21 (external address)
Connected on XXX.XXX.XXX.XXX:21
220 (vsFTPd 2.2.0)
USER user

331 Please specify the password.
PASS xxxx
230 Login successful.
SYST

215 UNIX Type: L8
TYPE I

200 Switching to Binary mode.
PWD

257 "/"
Charging directory / from the server (LC_TIME=fr_FR.UTF-8)
PORT 192,168,0,3,169,61

500 Illegal PORT command.

Before changing anything to the router (which may not be a problem) I would like to solve this which is an obvious problem. The server should return the external address and not the local one.
From an other client, I get this:

Quote:

Reply : 200 Switching to Binary mode.
Command : PASV
Reply : 500 OOPS: priv_sock_get_cmd
Command : PORT 192,168,0,3,215,5
Error : Connexion closed by the server

[jggimi]

OK. -Now- I understand the problem.

Your choice of FTP server eliminates passive FTP as a possibility, since it resides behind a NAT router. Google "vsftpd nat" and read the first link.

[robbak]

FTP is an ornary beast, especially when you link it up with NAT and firewalls. I'd recommend doing some basic research so you know what FTP is trying to do.

Depending on what features your router has, it may not even be possible. You really are going to need a ftp proxy of some sort.

[jggimi]

There's a good discussion of active/passive FTP and NAT in OpenBSD's PF Users Guide -- If Sunsawe replaces the turnkey SOHO router with FreeBSD or OpenBSD, PF and a version of ftp-proxy are available.

http://www.openbsd.org/faq/pf/ftp.html