In short: It DOES connect in passive mode, but it just doesn't use the ports that I'm trying to use despite the configuration.
Settings on pasv_max_port and pasv_min_port seems to be ignored, but I can't see what's preventing vsftpd from recognizing or applying the configuration.
Procedure I took is to:
-
[Server] Edit vsftpd.conf and save
pasv_max_port=60000 pasv_min_port=60003 #Server's public IP (AWS EC2 Elastic IP) pasv_address=*.*.*.**I have tried a few other conbination: it's shown down below.
-
[Server] Restart vsftpd with
service vsftpd restart -
[Client (Filezilla)] Connect to *.*.*.*, on port 22, in passive mode. SSL, and login all goes fine, then it returns this:
Command: PASV Trace: CFtpControlSocket::OnReceive() Response: 227 Entering Passive Mode (*,*,*,*,254,73).
This seems like it's connecting to *.*.*.*:65097. (And this port number changes on each try as if I haven't set port range to be used for passive mode.) Sure enough, if I set my firewall to close everything else other than port 22 and range 60000 – 60003, it doesn't proceed any further.
I tried other ranges like 62010-62019, even rebooted linux but it still acts in the same behavior.
Is this conflict with iptables?? (I doubt it, as my machine is running on AWS EC2 instance so it's like running behind NAT, correct?)
Nothing close to my question was found, so I thought I must be doing something stupid, but spell has been checked letter to letter, and lines below the configuration pasv_address is indeed taking effect (it doesn't work if I leave them blank and restart vsftpd).
- Hardware:
AWS EC2 instance running "Amazon Linux AMI 2018.03.0.20180412 x86_64 HVM GP2" - Network:
Firewall (AWS Security group) is configured for all ports to be opened for the client's ip. My goal is to leave only the necessary ports to be opend for the client (21,60000 - 60003) - Package:
vsftpd installed fromamzn-mainrepository (vsftpd.x86_64, 2.2.2-13.13.amzn1) - Available Ports:
cat /proc/sys/net/ipv4/ip_local_port_rangereturns32768 60999
My goal is to open only controlled range of ports for data transfer, and it's just for single client with fixed IP address. That means I can actually just go for active mode and open port 20 only for that IP address, however just for the sake of sticking to the old configuration of the current FTP server to be replaced, I'd much rather use passive mode. -> Just found out that it had to be passive mode because of client side's security concern.
..any idea anyone?
Prior to this, I have tried them with a few other vsftpd.conf, such like
pasv_enable=YES
pasv_max_port=60000
pasv_min_port=60003
port_enable=YES
pasv_addr_resolve=YES
pasv_address=*.*.*.*
And I had no luck with this neither. Currently I'm just sticking with the minimum lines required for such thing (as pasv_enable is YES by default.)
Best Answer
Solved: @Zdenek from the comment section noticed that my configuration had stupid mistake in it:
So, fixing from
to
was all that needed to be done.
I thought this was too stupid to leave on this site, but thought it might be beneficial for someone who overlooked this or expected vsftpd to return error on misconfiguration such like this, so leaving as is.
Thanks again @Zdenek for checking out!