425 Security: Bad IP connecting.

2008mcitp

I have a FTP server behind a Pfsense firewall. I want users can access the FTP server and upload files from the Internet. To do that, i added 3 port forward rule that map 20,21 and a specific port range (for passive mode) from external to the same ports in internal ip address. I can connect to FTP server but when the passive mode in on and i want to upload a file i get "425 Security: Bad IP connecting" error . this is the output from terminal :

(x.x.x.x -> External ip address
y,y,y,y -> internal ip address)

ftp x.x.x.x
Connected to x.x.x.x
220 (vsFTPd 3.0.3)
Name (x.x.x.x:username): username
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pass
Passive mode on.
ftp> put file
local: file remote: file
227 Entering Passive Mode (y,y,y,y,39,108).
425 Security: Bad IP connecting.
ftp>

and also when i try to upload a file in active mode , i get this error :

ftp: bind: Address already in use.

but when i connect to FTP locally the TCP connect6 established completely. this is the output when i connect locally :

ftp y.y.y.y
Connected to y.y.y.y.
220 (vsFTPd 3.0.3)
Name (y.y.y.y:username): username
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pass
Passive mode on.
ftp> put file
local: file remote: file
227 Entering Passive Mode (y,y,y,y,39,112).
150 Ok to send data.
226 Transfer complete.
ftp>

and this is the configuration of my FTP server :
listen=NO
listen_ipv6=YES
listen_ipv6=YES
write_enable=YES
local_umask=077
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
rsa_private_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
ssl_enable=NO
port_enable=NO
pasv_addr_resolve=YES
pasv_enable=YES
pasv_max_port=10100
pasv_min_port=10090

i googled it, but i don't know it's related to pfsense or vsftpd. is there anybody can help to resolve the problem ?

thank you.

Rico

Best practise would be you switch to SFTP.
It is fully encrypted and everything flows via one port, no fumbling with active/passive stuff.

-Rico

2008mcitp

@Rico if there is not a clear solution i have to. but i prefer to try resolve the issue.

Rico

FTP via Internet is just BAD...you send everything pure plain, even the login credentials.

-Rico

johnpoz

This has been gone over like a 100+ times... You do not need to forward 20, ever!!! You need to forward the passive ports your going to use, and you need to make sure your ftp server hands out your actual public IP vs its rfc1918 address.

But again as rico says ftp BAD! ;) Use sftp and now you don't have to worry about any of the active passive stuff on the data channel.