On 05/05/2016 09:15 AM, Marcin Trendota wrote:
> Howdy
>
> I'm trying to run FTP server behind firewall. And i can't enable passive
> mode from the Internet. There are plenty howtos but there aren't many
> with my combination.
>
> For now i have configured port forwarding and ftp server itself.
>
> On the router:
> # firewall-cmd --list-all --zone=external
> external (active)
> interfaces: enp3s1
> sources:
> services: openvpn ssh
> ports: 1194/tcp 2666/tcp 88/tcp
> masquerade: yes
> forward-ports: port=21:proto=tcp:toport=:toaddr=10.0.32.7
> port=10090-10100:proto=tcp:toport=:toaddr=10.0.32.7
> port=88:proto=tcp:toport=80:toaddr=10.0.32.23
> icmp-blocks:
> rich rules:
>
> I also did:
> # modprobe ip_conntrack_ftp ports=10090,10100
>
>
> excerpt form vsftpd.conf on the FTP server:
> pasv_enable=Yes
> pasv_min_port=10090
> pasv_max_port=10100
> pasv_addr_resolve=Yes
Do you have pasv_addr set to the hostname of the server?
pasv_address
Use this option to override the IP address that vsftpd will advertise in response to
the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled,
in which case you can provide a hostname which will be DNS resolved for you at
startup.
Default: (none - the address is taken from the incoming connected socket)
> >From LAN or through VPN it works. But on the public address i can only
> log in, cannot turn into passive mode:
>
> Connected to ftp1.domain.com (xxx.xxx.xxx.xxx).
> 220 (vsFTPd 2.2.2)
> Name (ftp1.domain.com:root): user
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 227 Entering Passive Mode (10,0,32,7,39,111).
> ftp: connect: Connection timed out
>
> Also this IP looks weird - shouldn't it be public IP?
>
> What am i doing wrong?
> TIA.
>
--
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com