Ftp – Ports for FTP passive mode

centos7ftpgoogle-cloud-platformgoogle-compute-enginepureftpd

I opened from firewall port 21 for FTP on Google Cloud Engine but I can only connect via active mod to FTP. I want to use passive mod too.

According to https://stackoverflow.com/questions/24566692/filezilla-ftp-server-fails-to-retrieve-directory-listing port 50000-55000 must be open but I tried that. This answers is not worked on my situation. When I open all ports to TCP I can connect via passive mod but I do not want to open all ports (or do i need to open all ports ??)

Here i found all port things:

Passive mode

In passive mode, the client has no control over what port the server chooses for the data connection. Therefore, in order to use passive mode, you'll have to allow outgoing connections to all ports in your firewall.

My question is do i need to open all ports for passive mod or can i something else ?

System

OS: CentOS 7 with latest packages

FTP Service: PureFTPd

Update

When I try on passive mod, logs says logged in, after stucks at retreiving file list (i can't post logs because my log file is not English)

Thanks & Regards

Best Answer

Add the following:

PassivePortRange 50000 55000

in 

/etc/pure-ftpd.conf

and i think that your problem will be solved. Keep in mind that this port range should also be allowed in your firewall.

EDIT:

Quoted from this wonderful source:

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1023 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1023) and sends P back to the client in response to the PASV command. The client then initiates the connection from port N+1 to port P on the server to transfer data.

the trick here is that with the

PassivePortRange 50000 55000

directive will force pureFtp to pick random ports from this range that you have previously allowed in your firewall.

Related Topic