NAT and vsftpd help pls



  • I have setup vsftpd as in https://www.digitalocean.com/community/tutorials/how-to-set-up-vsftpd-for-a-user-s-directory-on-ubuntu-16-04

    And forwarded ports as in https://snag.gy/YmTbo0.jpg

    Is it right way to do so?

    When I check open ports, except 21 all others closed for some reason?!

    Thx


  • Rebel Alliance Developer Netgate

    vsftpd won't actually respond on any of those other ports except during a real FTP connection when it will accept connections from clients only on certain ports it designates for that client.

    The only way to test the other ports, besides 21, is with an actual FTP client in passive mode outside your network (on WAN somewhere, or on the Internet)

    Also, in your vsftpd.conf, you will need to set pasv_address=x.x.x.x where x.x.x.x is your real external WAN IP address.



  • @jimp:

    vsftpd won't actually respond on any of those other ports except during a real FTP connection when it will accept connections from clients only on certain ports it designates for that client.

    The only way to test the other ports, besides 21, is with an actual FTP client in passive mode outside your network (on WAN somewhere, or on the Internet)

    Also, in your vsftpd.conf, you will need to set pasv_address=x.x.x.x where x.x.x.x is your real external WAN IP address.

    If I read you  correctly I need to keep port forwarding as is.
    ref: pasv_address - it's working now, do I still need to enable it?

    It's odd but snor seems to be throwing alerts about ftp connections ?!


  • Rebel Alliance Global Moderator

    Have to wonder why you don't take their advice they give right up front and use a more secure, and easier to setup option like sftp?  Now you don't have to deal with active or passive data channel through a nat..


  • Rebel Alliance Developer Netgate

    @chudak:

    If I read you  correctly I need to keep port forwarding as is.

    Yes, though maybe even not all of those ports are required. Usually just 20-21 plus the pasv range.

    @chudak:

    ref: pasv_address - it's working now, do I still need to enable it?

    It may work with some clients like Filezilla which are smart enough to use the correct address anyhow, but other clients will break without that set.

    @chudak:

    It's odd but snor seems to be throwing alerts about ftp connections ?!

    That's between you and your snort config.



  • Hi,

    just in case you have problems. I just did the setup with a CARP address on wan.

    1. Create a NAT Forward for Port 21 to internal IP
    2. Create a NAT Forward for passiv Ports. (like 20000 to 20010) to internal IP
    3. Add the following lines to vsftpd.conf

    
    pasv_enable=YES
    pasv_address=CARPWANIP
    pasv_min_port=20000
    pasv_max_port=20010
    
    

    4. Search for listen_ipv6=YES comment this out and add listen=YES

    If you don't do step 4 you will see on the external FTP client somthing like:

    
    ftp> dir
    227 Entering Passive Mode (0,0,0,0,78,39).
    ftp: connect: Connection refused