0

After forcing strict firewall rules (deny everything) and creating following exceptions with ufw:

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
22/tcp                     LIMIT       Anywhere
21/tcp                     ALLOW       Anywhere
990/tcp                    ALLOW       Anywhere
20/tcp                     ALLOW       Anywhere
989/tcp                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
22/tcp (v6)                LIMIT       Anywhere (v6)
21/tcp (v6)                ALLOW       Anywhere (v6)
990/tcp (v6)               ALLOW       Anywhere (v6)
20/tcp (v6)                ALLOW       Anywhere (v6)
989/tcp (v6)               ALLOW       Anywhere (v6)

I'm still not able to log-in via ftp client such as FileZilla. Using ufw disable allows connection without problems. I bet there is some port I missed. There is vsftpd server running on the linux machine. Connection is done via explicit FTP over TLS. The log of the client when ufw is enabled is:

Status: Connecting to xx.xx....
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Server does not support non-ASCII characters.
Status: Logged in
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is the current directory
Command:    TYPE I
Response:   200 Switching to Binary mode.
Command:    PASV
Response:   227 Entering Passive Mode (85,255,3,229,40,216).
Command:    LIST
Error:  Connection timed out after 20 seconds of inactivity
Error:  Failed to retrieve directory listing
Jakub Maly
  • 3
  • 1
  • `227 Entering Passive Mode` and [this](https://stackoverflow.com/a/1699163/10765659). – Kamil Maciorowski Jul 11 '20 at 15:25
  • [This answer](https://superuser.com/a/1091742/432690) to the linked duplicate is in the context of Windows, but the root issue is the same. Your FTP server opens another port (represented by two bytes: `40,216` in the log) but the strict firewall rules deny the connection. – Kamil Maciorowski Jul 11 '20 at 15:39
  • Thank you. I'm still beginner in networking and SU forum so sorry for duplicate. The problem was not on the client side. The server's vsftpd.conf contained wrong passive port range. For anyone having the same problem: Do for example `ufw allow 5000:5010/tpc` and then edit `/etc/vsftpd.conf`, fields `pasv_max_port=5000`, `pasv_min_port=5010`. In the end restart the service via `/etc/init.d/vsftpd restart`. – Jakub Maly Jul 12 '20 at 10:08

0 Answers0