ProFTPD - Failed to retrieve directory listing while using TLS
The problem is, that conntrack_ftp module, which on the fly allows ftp data connections to pass through firewall even if they were to be dropped because of rules, cannot analyze the encrypted stream for PASV/PORT commands. The same applies to not being able to use active mode from behind a firewall/nat with encrypted control connection.
So you need to set static ports for passive mode (or if client is not behind firewall/nat use an active mode) and add a firewall rule to accept incoming connections on these ports.
Ports for passive mode are set through PassivePorts directive.
Edit: I should add that the amount of PassivePorts does not just limit the amount of parallel connections, but also limits a number of connections (read directory listings and/or file transfers) per net.netfilter.nf_conntrack_tcp_timeout_time_wait seconds.
So if you are transfering a lot of small files, open up a lot of ports!
Related videos on Youtube
02 : 12
02 : 46
07 : 35
02 : 03
02 : 49
grongor
Updated on September 18, 2022Comments
-
grongor over 1 year
I have problem with my ProFTPD server.
When I try to connect to the server using TLS then I get timeout after MLSD command. It only happens whenI use TLS - without it it works perfectly.
I checked these logs:
proftpd.log - USER xxx: Login successful.
tls.log - TLSv1/SSLv3 connection accepted ... Protection set to Private
Where could be problem please? I can provide more informations, just ask for them in comments.
EDIT: Today I tried to set INPUT policy of iptables to ALLOW ... everything worked ... so issue is a firewall. How should I set iptables to work with FTPS ?
Here are my iptables settings:
*filter :INPUT DROP [930:61159] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [256:26448] -A INPUT ! -i eth0 -j ACCEPT -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT -A INPUT -p tcp -m tcp -m multiport --dports 80,443,20,21,25,143,993,110,995,1194 -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT COMMIT-
pablo over 12 yearsare you doing a directory listing as encrypted or non encrypted?
-
grongor over 12 yearssorry but I'm not sure ... I don't use CLI client but FileZilla (I also tried Total Commander - it throws error that PORT command failed)
-
-
grongor over 12 yearslol, so simple ... I though I have opened all those ports so I didn't even checked that. So I opened ports 50000:50500 (PassivePorts) and everythink seems ok. Thank you.
-
grongor over 12 yearsofc, I just didn't have time to make more tests if it is really solved yet
