Configuring vsFtp

NethServer Version: 7.7.1908
Module: vsftp

I have a Nethserver installation, behind a pfSense firewall. The nethserver has only a green network.
I have enabled vsftp from the Web Server application and left everything as default.

I’m able to use ftp from the same subnet, but when I try from the external network, passing through the pfSense the connection fails. I have redirected port 21 and the range from 30000 to 30999 to the Nethserver, using pfSense, but it seems not to be enough.

From the log I have:

Mon Dec 2 22:42:23 2019 [pid 13429] CONNECT: Client “192.168.0.99”
Mon Dec 2 22:42:23 2019 [pid 13428] [xxxxxxxxx] OK LOGIN: Client “192.168.0.99”

and nothing else, the ftp client tries to retrieve the list of files but the request times out.

I have also tried to create a template-custom/etc/vsftp/vsftp.conf/90active file, to configure vsftp in active mode, but it does not seem to work. The vsftp.conf file does not have the additional lines contained in 90active file, and in any way I would prefer the passive mode.

Is there something I need to configure on the firewall ? Or any other information I need to add to the vsftp.conf ?

Thank you

Andrea

1 Like

Did you expand the template after creating a custom one?

expand-template /etc/vsftp/vsftp.conf

1 Like

Thank you for your reply,

I have tried and I received this error:

[root@mars ~]# expand-template /etc/vsftp/vsftp.conf ERROR: Cannot create output file //etc/vsftp/vsftp.conf.21549 No such file or directory at /sbin/e-smith/expand-template line 45.

But, I’m wondering why the passive mode is not working, I have forwarded all the ports to the Nethserver, so there should be something blocking the connection from other networks.

Thank you,
Andrea

I have made other tests.

It seems that the passive ports are different from the configuration. This is the result of the netstat command:

tcp 0 1 xxx.xxxxxx.xxxx:34819 192.168.0.99:49218 SYN_SENT

The port is 34819, but the vsftp.com has:

pasv_min_port=30000
pasv_max_port=30999

I have also tried to modify the NAT rule in pfSense, but still it does not work.

Thank you

Andrea

Is your custom template at the correct folder?

/etc/e-smith/templates-custom/etc/vsftp/vsftp.conf/

I ask because you wrote template custom withou s

Second idea is to look at

etc/vsftp/

if the config file exists.

Perhaps @support_team could help here.

Are you telling the client to use passive. ASAIK vsftp is in active mode by default.

Cheers.

Hi, thank you for your reply.

You are right, I forgot a s. But the folder is correct, the additional template is in /etc/e-smith/tempates-custom/etc/vsftp/vsftp.conf/ and it called 90active.

And yes, vsftp.conf exists in /etc/vsftp/

Thank you
Andrea

Thank you, Eddie. Yes, the client is configured to use passive mode.
Andrea

The reason I asked is because when in active mode, I see a response back from the server to client that uses high ports, but not the ones defined for passive transfer. Here’s what a netstat shows, on my server, seconds after a client requested data, hence the TIME_WAIT as the port was closed following the transfer:

tcp        0      0 192.168.0.254:21        192.168.0.1:48806       ESTABLISHED
tcp        0      0 192.168.0.254:39745     192.168.0.1:56083       TIME_WAIT

254 is the server, 1 is the client

Again, this is with the default configuration.

Cheers.

Hi, this is exactly what I see on my system, when I connect from inside the same network. When I connect from outside the second line is not in the TIME_WAIT status, since the client cannot connect, it stays in listen.

But now, I understood what is happening, when the first connection is established, the server returns to the client the ipaddress and the port for the data transfer connection, and the IP address is the private one 192.168.10.95, instead of the public one (the one of the pfSense that will redirect the connection).

There shoud be a configuration in vsftp.conf with the IP address or the FQDN to be returned to manage the case where the FTP server is behind a proxy (or at list, there is such configuration in proftp server).

Thank you
Andrea

Or you need the ftp/ftp_nat helpers loaded in either PFSense and/or NS Shorewall.

Cheers.

1 Like

Solved. The problem was the Firewall, I have opened all the ports and now I can connect.

The point is that I can connect from known addresses, is there a way to open the 21 and passive FTP ports for connections from any ip address ?

Andrea

On NethServer or it’s an appliance/computer outside nethserver?

On the Nethserver.

The NAT forwarding on pfSense was working, but the one on Nethserver was blocking the ports used by vsftpd passive mode.

Now, I have installed the firewall app on Nethserver and created two rules to open the ports. My problem now, is that I should open the ports for any ip address, but the interface only allows me to put an host or a CIDR in the source field. I tried with “all” but it did not work.

Andrea

Try “Any”.

Cheers.

Tried. It does not work.
Thanks

Guess that’s another bug in the new Cockpit interface. “Any” is allowed in the old UI.

You could try: 0.0.0.0/0

Cheers.

Try with the interface role name (RED, GREEN, etc.)