Hey guys, i'm having some rather annoying issues with ProFTPd and my new router in the area of Passive Connections. I was just wondering if anyone knows a way to completely disable Passive Connections in the ProFTPd Config?
Thanks guys
Full Version: ProFTPd, Disabling the Passive Mode
I had this issue in the past and found it wasn't worth the effort involved in fudging this to work.
What I did instead was use FTP over SSH by merely installing OpenSSHd. With this:
1. You only need to forward port 22
2. Most FTP clients support FTP over SSH
3. It's pretty much plug and play - start the service and you can start logging in with your users
What I did instead was use FTP over SSH by merely installing OpenSSHd. With this:
1. You only need to forward port 22
2. Most FTP clients support FTP over SSH
3. It's pretty much plug and play - start the service and you can start logging in with your users
And why would you want to disable it?? Have we not gone over this? Have your users use ACTIVE connections! As I thought I had already told you if your having issues with your router doing the passive for you.. Just manually set it up.
Set proftpd to use a specific range for its passive ports
http://www.proftpd.org/docs/directives/lin...ssivePorts.html
PassivePorts 49152 65534
I wold not use such a large range.. You only need a range large enough to handle the number of concurrent users you might have.. Something like 65000 65050 should be more than enough.
Now forward this range on your router to your ftp server. Done!
Set proftpd to use a specific range for its passive ports
http://www.proftpd.org/docs/directives/lin...ssivePorts.html
PassivePorts 49152 65534
I wold not use such a large range.. You only need a range large enough to handle the number of concurrent users you might have.. Something like 65000 65050 should be more than enough.
Now forward this range on your router to your ftp server. Done!
Quote - (Rockett15 @ Jun 6 2008, 17:10) 
I had this issue in the past and found it wasn't worth the effort involved in fudging this to work.
What I did instead was use FTP over SSH by merely installing OpenSSHd. With this:
1. You only need to forward port 22
2. Most FTP clients support FTP over SSH
3. It's pretty much plug and play - start the service and you can start logging in with your users
What I did instead was use FTP over SSH by merely installing OpenSSHd. With this:
1. You only need to forward port 22
2. Most FTP clients support FTP over SSH
3. It's pretty much plug and play - start the service and you can start logging in with your users
Mind if you give me a small tutorial on setting that up or link me to a site that'll explain setting up FTP access
Quote - (BudMan @ Jun 7 2008, 13:41)
And why would you want to disable it?? Have we not gone over this? Have your users use ACTIVE connections! As I thought I had already told you if your having issues with your router doing the passive for you.. Just manually set it up.
Set proftpd to use a specific range for its passive ports
http://www.proftpd.org/docs/directives/lin...ssivePorts.html
PassivePorts 49152 65534
I wold not use such a large range.. You only need a range large enough to handle the number of concurrent users you might have.. Something like 65000 65050 should be more than enough.
Now forward this range on your router to your ftp server. Done!
Set proftpd to use a specific range for its passive ports
http://www.proftpd.org/docs/directives/lin...ssivePorts.html
PassivePorts 49152 65534
I wold not use such a large range.. You only need a range large enough to handle the number of concurrent users you might have.. Something like 65000 65050 should be more than enough.
Now forward this range on your router to your ftp server. Done!
Yeah and I've done that with no luck, it dosnt work.
Is your server still open? And you were going to give me access to your router?
So your users are not smart enough to not enable passive in IE, or to uncheck it.. or use a real ftp client to access site so they can set passive or active based on site, etc..
But you going to have them use a SSH tunnel to get to your ftp server?? Yeah that makes sense
if your going to go the SSH route -- why not just setup SFTP? the openssh will provide SFTP, and kill 2 birds with 1 stone.. BTW yes ftp tunneled thru ssh or SFTP is way moe secure than FTP but it does come with a performance hit as its price.. You have the added overhead of encryption.
BTW -- normally in FTP over SSH, only the control traffic, ie port 21 is secured. The data connection would be in the clear and would still be either a passive or active connection.. So doing a ssh ftp tunnel is not going to fix your passive issue.
Unless your using clients that understand it, etc.
So your users are not smart enough to not enable passive in IE, or to uncheck it.. or use a real ftp client to access site so they can set passive or active based on site, etc..
But you going to have them use a SSH tunnel to get to your ftp server?? Yeah that makes sense
if your going to go the SSH route -- why not just setup SFTP? the openssh will provide SFTP, and kill 2 birds with 1 stone.. BTW yes ftp tunneled thru ssh or SFTP is way moe secure than FTP but it does come with a performance hit as its price.. You have the added overhead of encryption.
BTW -- normally in FTP over SSH, only the control traffic, ie port 21 is secured. The data connection would be in the clear and would still be either a passive or active connection.. So doing a ssh ftp tunnel is not going to fix your passive issue.
Unless your using clients that understand it, etc.
Ok I just took a look at that routers controls the dir-655 right? What level of SPI are you doing on that?
Under advanced, firewall -- I would assume its set to "Port And Address Restricted" as the default.. Change it to "Endpoint Independent" atleast for testing.
Under advanced, firewall -- I would assume its set to "Port And Address Restricted" as the default.. Change it to "Endpoint Independent" atleast for testing.
Ok since you had sent me the login info for your router.. I did some testing.. BTW -- I don't show your proftpd.conf being changed since 6/3 so when exactly did you configure the passive ports it uses?? Nor did I see any forwards for the passive ranges.
Anyway -- it seems your problem is your SPI firewall. I turned it off and passive works just fine!! With no need of a manual forward of the passive ports.
Retrieving directory listing...
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (82,13,132,223,247,198)
LIST -a
150 Opening ASCII mode data connection for file list
226 Transfer complete
Directory listing successful
PASV
227 Entering Passive Mode (82,13,132,223,247,183)
LIST -a
150 Opening ASCII mode data connection for file list
226 Transfer complete
Directory listing successful
If I enabled the passive range as a forward -- it would sometimes work, sometimes not.. But once I turned off the SPI it works every single time I have connected.
To be honest you really have little use for their added SPI checks since your behind a NAT anyway.. Only traffic that you forward or is in answer to something you request will get thru.
From the help on your router.
Enable SPI
SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to prevent cyberattacks by tracking more state per session. It validates that the traffic passing through that session conforms to the protocol. When the protocol is TCP, SPI checks that packet sequence numbers are within the valid range for the session, discarding those packets that do not have valid sequence numbers.
Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP packet's flags are valid for the current state.
So turning that off just disables some extra checks.. its really still doing SPI -- ie its checking the state.. Its just not doing added BS checks on the packets.
Anyway -- it seems your problem is your SPI firewall. I turned it off and passive works just fine!! With no need of a manual forward of the passive ports.
Retrieving directory listing...
TYPE A
200 Type set to A
PASV
227 Entering Passive Mode (82,13,132,223,247,198)
LIST -a
150 Opening ASCII mode data connection for file list
226 Transfer complete
Directory listing successful
PASV
227 Entering Passive Mode (82,13,132,223,247,183)
LIST -a
150 Opening ASCII mode data connection for file list
226 Transfer complete
Directory listing successful
If I enabled the passive range as a forward -- it would sometimes work, sometimes not.. But once I turned off the SPI it works every single time I have connected.
To be honest you really have little use for their added SPI checks since your behind a NAT anyway.. Only traffic that you forward or is in answer to something you request will get thru.
From the help on your router.
Enable SPI
SPI ("stateful packet inspection" also known as "dynamic packet filtering") helps to prevent cyberattacks by tracking more state per session. It validates that the traffic passing through that session conforms to the protocol. When the protocol is TCP, SPI checks that packet sequence numbers are within the valid range for the session, discarding those packets that do not have valid sequence numbers.
Whether SPI is enabled or not, the router always tracks TCP connection states and ensures that each TCP packet's flags are valid for the current state.
So turning that off just disables some extra checks.. its really still doing SPI -- ie its checking the state.. Its just not doing added BS checks on the packets.
Thanks Budman, that fixed all of the issues I had
Your welcome -- if you don't mind.. leave my access open.. I'll check on your collection now and then 
I'm a HUGE Scifi fan myself
I'm a HUGE Scifi fan myself
Quote - (BudMan @ Jun 9 2008, 01:08)
Your welcome -- if you don't mind.. leave my access open.. I'll check on your collection now and then I'm a HUGE Scifi fan myself
I'm a HUGE Scifi fan myself No problem mate, help yourself but dont expect any fast downloads
(70KB/s max 
)I delete episodes while I watch them on the Popcorn Hour so keep an eye out for stuff.
I'm putting in a 1TB hard drive soon so hopefully then I wont need to delete stuff.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.