How to configure vsftpd to work with passive mode
Solution 1:
To configure passive mode for vsftpd you need to set some parameters in vsftpd.conf.
pasv_enable=Yes
pasv_max_port=10100
pasv_min_port=10090
This enables passive mode and restricts it to using the eleven ports for data connections. This is useful as you need to open these ports on your firewall.
iptables -I INPUT -p tcp --destination-port 10090:10100 -j ACCEPT
If after testing this all works then save the state of your firewall with
service iptables save
which will update the /etc/sysconfig/iptables
file.
To do this is CentOS 7 you have to use the new firewalld, not iptables:
Find your zone:
# firewall-cmd --get-active-zones
public
interfaces: eth0
My zone is 'public', so I set my zone to public, add the port range, and after that we reload:
# firewall-cmd --permanent --zone=public --add-port=10090-10100/tcp
# firewall-cmd --reload
What happens when you make a connection
Your client makes a connection to the vsftpd server on port 21.
The sever responds to the client telling it which port to connect to from the range specified above.
The client makes a data connection on the specified port and the session continues.
There is a great explanation of the different ftp modes here.
Solution 2:
To enable passive mode, set the following configuration options in your vsftp.conf:
pasv_enable=YES
pasv_min_port=41361
pasv_max_port=65534
pasv_address=xxx.xxx.xxx.xxx
You can of course change the start and end port, and should replace the xxx's with the public IP of your server.
In addition, you should open the passive mode port range in your firewall. On centos, you can load the ip_conntrack_ftp
module to handle ftp connections in your firewall. Edit /etc/sysconfig/iptables-config
and add ip_conntrack_ftp to the IPTABLES_MODULES option. Afterwards restart iptables:
/sbin/service iptables restart
Solution 3:
Beside the pasv_enable=YES
, specify a port range in which VSFTP will run PASV mode:
pasv_min_port=50000
pasv_max_port=50999
port_enable=YES
Don't forget to configure iptables allows packet transmission on these ports:
iptables -I INPUT -p tcp --dport 50000:50999 -j ACCEPT
Solution 4:
Usually, it's not the ftp server, vsftpd, but the firewall like iptable that prevents passive mode from being used (blocking tcp connection needed for data transfert).
Solution 5:
I had to do the following steps to get vsftp passive mode working on CentOS 8:
Enable passive mode in vsftpd config /etc/vsftpd/vsftpd.config
:
pasv_enable=Yes
pasv_min_port=50000
pasv_max_port=50999
Enable ftp Service in firewalld:
firewall-cmd --permanent --zone=public --add-service=ftp
firewall-cmd --reload
As mentioned in another post you have to load the kernel module "nf_conntrack_ftp" (which was already the case in CentOS 8) and enable "nf_conntrack_helper" in kernel settings:
echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
Add this line to /etc/sysctl.conf
(or /etc/sysctl.d/10-nf_conntrack_helper.conf
when /etc/sysctl.d/
is present) for a reboot persistent setting:
net.netfilter.nf_conntrack_helper=1
With connection track enabled there is no need to additional configure the passive ports in the local firewall.