Author Topic: ftp fails to list unless ip manually whitelisted in firewall  (Read 4257 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
ftp fails to list unless ip manually whitelisted in firewall
« on: March 04, 2021, 05:06:34 AM »
Using Filezillla and WINSCP, FTP authentication works but fails to list the directory contents and sometimes even fails to connect on FTP/SSH unless I whitelist the user's public IP manually in firewall. It is not possible to manually whitelist IPs of users every time they want to use FTP/SSH. How to solve this issue?

I have manually configured ports number for SSH(2349) and FTP (2248)

I tried editing /etc/pure-ftpd/pure-ftpd.conf
putting my public IP to ForcePassiveIP
also assigned PassivePortRange as 2248 35000

But nothing worked

Sample Log of Filezilla / WinSCP

Code: [Select]
Status: Resolving address of siteseas.com
Status: Connecting to 34.93.250.119:2248...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Resolving address of siteseas.com
Status: Connecting to 34.93.250.119:2248...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Error: Connection attempt interrupted by user
Status: Disconnected from server
Status: Resolving address of siteseas.com
Status: Connecting to 34.93.250.119:2248...
Status: Connection established, waiting for welcome message...
Status: Plain FTP is insecure. Please switch to FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
Status: Disconnected from server
Status: Resolving address of siteseas.com
Status: Connecting to 34.93.250.119:2248...
Status: Connection established, waiting for welcome message...
Status: Plain FTP is insecure. Please switch to FTP over TLS.
Status: Logged in
Status: Retrieving directory listing...
Status: Server sent passive reply with unroutable address. Using server address instead.
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
« Last Edit: March 04, 2021, 05:54:40 AM by shobhit »

Offline
*
Re: ftp fails to list unless ip manually whitelisted in firewall
« Reply #1 on: March 05, 2021, 02:04:46 PM »
FTP doesn't just use a single port (e.g. 2248 in your example), it uses this port only for sending commands to the server. The actual data is sent and received over a range of separate ports. That's what you set via PassivePortRange. However, you cannot use the same port for the data and for the commands. So use something like this instread:
PassivePortRange as 30000 35000

Then you also need to allow this same port range (30000-35000) as incoming TCP ports in your firewall. This is not a security risk, the FTP server will open a port in this range just for the transfer, send or receive the data, and then close the port.

Offline
*
Re: ftp fails to list unless ip manually whitelisted in firewall
« Reply #2 on: March 06, 2021, 05:20:04 AM »
Hey @chrisg ... this did the job. Whitelisting of ips in firewall was the step I was missing... Thanx a lot for your support