425 Security: Bad IP connecting.



  • I have a FTP server behind a Pfsense firewall. I want users can access the FTP server and upload files from the Internet. To do that, i added 3 port forward rule that map 20,21 and a specific port range (for passive mode) from external to the same ports in internal ip address. I can connect to FTP server but when the passive mode in on and i want to upload a file i get "425 Security: Bad IP connecting" error . this is the output from terminal :

    (x.x.x.x -> External ip address
    y,y,y,y -> internal ip address)

    ftp x.x.x.x
    Connected to x.x.x.x
    220 (vsFTPd 3.0.3)
    Name (x.x.x.x:username): username
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pass
    Passive mode on.
    ftp> put file
    local: file remote: file
    227 Entering Passive Mode (y,y,y,y,39,108).
    425 Security: Bad IP connecting.
    ftp>

    and also when i try to upload a file in active mode , i get this error :

    ftp: bind: Address already in use.

    but when i connect to FTP locally the TCP connect6 established completely. this is the output when i connect locally :

    ftp y.y.y.y
    Connected to y.y.y.y.
    220 (vsFTPd 3.0.3)
    Name (y.y.y.y:username): username
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> pass
    Passive mode on.
    ftp> put file
    local: file remote: file
    227 Entering Passive Mode (y,y,y,y,39,112).
    150 Ok to send data.
    226 Transfer complete.
    ftp>

    and this is the configuration of my FTP server :
    listen=NO
    listen_ipv6=YES
    listen_ipv6=YES
    write_enable=YES
    local_umask=077
    dirmessage_enable=YES
    use_localtime=YES
    xferlog_enable=YES
    connect_from_port_20=YES
    xferlog_std_format=YES
    pam_service_name=vsftpd
    rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    pam_service_name=vsftpd
    rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
    rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
    ssl_enable=NO
    port_enable=NO
    pasv_addr_resolve=YES
    pasv_enable=YES
    pasv_max_port=10100
    pasv_min_port=10090

    i googled it, but i don't know it's related to pfsense or vsftpd. is there anybody can help to resolve the problem ?

    thank you.


  • LAYER 8 Rebel Alliance

    Best practise would be you switch to SFTP.
    It is fully encrypted and everything flows via one port, no fumbling with active/passive stuff. ☺

    -Rico



  • @Rico if there is not a clear solution i have to. but i prefer to try resolve the issue.


  • LAYER 8 Rebel Alliance

    FTP via Internet is just BAD...you send everything pure plain, even the login credentials. 👻

    -Rico


  • LAYER 8 Global Moderator

    This has been gone over like a 100+ times... You do not need to forward 20, ever!!! You need to forward the passive ports your going to use, and you need to make sure your ftp server hands out your actual public IP vs its rfc1918 address.

    But again as rico says ftp BAD! ;) Use sftp and now you don't have to worry about any of the active passive stuff on the data channel.


Log in to reply