Ftp – PASV FTP fails for wget/ftp but works for curl/lftp

curlftpvsftpdwget

I have a server running Centos 7 and vsftpd-3.0.3 (installed from source to get the latest version, though everything I describe was also applicable to the vsftpd-3.0.2 version that was previously installed).

vsftpd is configured to use passive ports set to the range 10100-10500, the firewall is allowing all the necessary ports. The server sits behind some routing/NATing that I don't control, but seems to be working correctly.

Connecting remotely from a Fedora 30 machine:

$ curl ftp://ftp.domain.com # works – display directory listing

$ wget ftp://ftp.domain.com # fails

==> PASV ... couldn't connect to 10.xx.xx.xx port 45027: Connection refused

$ lftp ftp.domain.com # works – login with anonymous and 'ls' returns dir list

$ ftp ftp.domain.com # fails – login with anonymous and 'ls returns 

ftp> ls
227 Entering Passive Mode (10,xx,xx,xx,176,231).
ftp: connect: Connection refused

I don't see how it can be a server setting since curl and lftp work, but I have no idea why wget and ftp don't work.

Best Answer

... the firewall is allowing all the necessary ports.

This suggests that the server and client are not in the same network. I guess that the server is in some internal network and that the client is somewhere on the internet.

227 Entering Passive Mode (10,xx,xx,xx,176,231).

The server is providing a private non-routeable address (i.e. 10.xx.xx.xx) as the target where the client should connect to. Given the above assumption that the client is somewhere else on the internet this kind of connection is not possible.

This is actually a typical error when the FTP server is behind some firewall in the internal network. Since it is so typical some clients work around this issue by ignoring the IP address provided by the server and only take the port and combine it with the IP address they have used for the FTP control connection. Other clients don't work around it.

In any case - the server setup is to blame and should be fixed. How to do it depends on the specific server but for proftp there is a MasqueradeAddress setting and there are similar settings for some other FTP servers. See also ProFTPd server behind firewall returns internal IP address.

Related Topic