How to configure vsftpd to work with passive mode

Solution 1:

To configure passive mode for vsftpd you need to set some parameters in vsftpd.conf.

pasv_enable=Yes
pasv_max_port=10100
pasv_min_port=10090

This enables passive mode and restricts it to using the eleven ports for data connections. This is useful as you need to open these ports on your firewall.

iptables -I INPUT -p tcp --destination-port 10090:10100 -j ACCEPT

If after testing this all works then save the state of your firewall with

service iptables save

which will update the /etc/sysconfig/iptables file.

To do this is CentOS 7 you have to use the new firewalld, not iptables:

Find your zone:

# firewall-cmd --get-active-zones
public
  interfaces: eth0

My zone is 'public', so I set my zone to public, add the port range, and after that we reload:

# firewall-cmd --permanent --zone=public --add-port=10090-10100/tcp
# firewall-cmd --reload

What happens when you make a connection

  • Your client makes a connection to the vsftpd server on port 21.

  • The sever responds to the client telling it which port to connect to from the range specified above.

  • The client makes a data connection on the specified port and the session continues.

There is a great explanation of the different ftp modes here.

Solution 2:

To enable passive mode, set the following configuration options in your vsftp.conf:

pasv_enable=YES
pasv_min_port=41361
pasv_max_port=65534
pasv_address=xxx.xxx.xxx.xxx

You can of course change the start and end port, and should replace the xxx's with the public IP of your server.

In addition, you should open the passive mode port range in your firewall. On centos, you can load the ip_conntrack_ftp module to handle ftp connections in your firewall. Edit /etc/sysconfig/iptables-config and add ip_conntrack_ftp to the IPTABLES_MODULES option. Afterwards restart iptables:

/sbin/service iptables restart

Solution 3:

Beside the pasv_enable=YES, specify a port range in which VSFTP will run PASV mode:

pasv_min_port=50000
pasv_max_port=50999
port_enable=YES

Don't forget to configure iptables allows packet transmission on these ports:

iptables -I INPUT -p tcp --dport 50000:50999 -j ACCEPT

Solution 4:

Usually, it's not the ftp server, vsftpd, but the firewall like iptable that prevents passive mode from being used (blocking tcp connection needed for data transfert).


Solution 5:

I had to do the following steps to get vsftp passive mode working on CentOS 8:

Enable passive mode in vsftpd config /etc/vsftpd/vsftpd.config:

pasv_enable=Yes
pasv_min_port=50000
pasv_max_port=50999

Enable ftp Service in firewalld:

firewall-cmd --permanent --zone=public --add-service=ftp
firewall-cmd --reload

As mentioned in another post you have to load the kernel module "nf_conntrack_ftp" (which was already the case in CentOS 8) and enable "nf_conntrack_helper" in kernel settings:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

Add this line to /etc/sysctl.conf (or /etc/sysctl.d/10-nf_conntrack_helper.conf when /etc/sysctl.d/ is present) for a reboot persistent setting:

net.netfilter.nf_conntrack_helper=1

With connection track enabled there is no need to additional configure the passive ports in the local firewall.

Tags:

Ftp

Centos

Vsftpd