blocking passive ftp in LAN
-
Hi,
Using 2.4.5-RELEASE, i have an ftp server working on LAN, pureftpd on linux 18.04, for remote access i've defined 1:1 NAT and with my external ip address working without any problem, users can reach upload/download files without any problem.
But when i try to reach through LAN, ftp client does this;
Status: Disconnected from server
Status: Connecting to 192.168.1.253:21...
Status: Connection established, waiting for welcome message...
Status: Plain FTP is insecure. Please switch to FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (XXX,XXX,XXX,XXX,156,215)
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listingAccording to my passive ftp configuration file it's trying to connect my WAN ip but somehow it's failing.
I did define lan rules as : source any-destination MY_WAN_IP - destination port range any but didn't solve the problem, also if don't use 1:1 NAT external users having the same problem, my passive ftp uses 21,40110:40210, when i forward those ports to my server both LAN & WAN users having the same problem, all other port forwardings to same server works perfectly but i'm stuck at plain ftp connections.
What am i doing wrong here?
-
Hi,
When you connect to your FTP server on the same LAN as your device (PC), have this FTP client using Active mode (?).
Another "without reading the pureftp manual" is : set up two FTP servers : one passive, accepting connections from the WAN (entire Internet) and another, running in active mode, accepting local connections. This second server should not use ort "21" but port, example "2121". It's just for your own, local access.
-
@Gertjan
When you connect to your FTP server on the same LAN as your device (PC), have this FTP client using Active mode (?). : active mode in LAN just works fine, but can not login through passive mode.second ftp server to accept only LAN connections through 2121 is seems like good idea, let me work on that.