Hi, Using latest version of ISP config on Ubuntu 18.04.4 LTS(virtual machine work sunder oracle vm), 21 and 22 ports are reachable from LAN and WAN, SFTP works fine but FTP returns operation timeout when i try to connect, followed this article to solve it https://www.faqforge.com/linux/cont...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/ but didn't help. Tried with 3 different FTP software on two different PC both LAN and WAN ip addresses but no luck so far,what am i missing?
Hard to say. You need to provide more information. Any error messages? In what way exactly does it not work as you expect? What do the logs show? Have you followed https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
You are right, about i didn't provide much information, sorry about that. there are no error messages on the server side, but the FTP client saying; Status: 192.168.1.16:21 conecting... Status: Connected, greetings list waiting... Status: Plain FTP is not safe Please switch to FTP over TLS Status: Successfully logged in Status: Retrieving folder list Command: PWD Response: 257 "/" is your current location Command: TYPE I Response: 200 TYPE is now 8-bit binary Command: PASV Response: 227 Entering Passive Mode (1,2,3,4,157,4) Command: MLSD Error: Connection terminated due to process not completed in 20 seconds Error: Folder list couldn't retrieved My Filezilla client in Turkish so i translated logs, excuse my poor english. Also i've created a log file with wget -q -O htf-common-issues.php "http://gitplace.net/pixcept/ispconfig-tools/raw/stable/htf-common-issues.php" && php -q htf-common-issues.php as attached.
ports 21 and 22 are for ftp command channel and ssh. you also need to open port 20 for ftp data channel in passive mode, or supply a range of ports in the pure-ftpd config, and the firewall, for the ftp data channel in active mode. which it looks like you've done following that tutorial, with one problem: you've actually used the example ip 1.2.3.4: you need to replace that with the real public ip for that server and then restart the service again.
thanks for the heads up, i did correct the 1.2.3.4 to my external ip address but problem still remains. I did check the port 20 and it seems like it's not accessible from LAN or WAN please see attached screenshots, i've double checked the tutorial and seems like this time i did it correctly but ispconfig server doesn't respond to port 20 because it's still un-reachable. Disabled ISPCONFIG's firewall and tried but no luck. Update : it seems like server is not listening port 20 Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 13903/pure-ftpd (SE tcp 0 0 192.168.1.16:53 0.0.0.0:* LISTEN 670/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 670/named tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 566/systemd-resolve tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 822/sshd tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 577/cupsd tcp 0 0 192.168.1.16:40185 0.0.0.0:* LISTEN 15321/pure-ftpd (ID tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1182/master tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 670/named tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 839/dovecot tcp 0 0 192.168.1.16:40162 0.0.0.0:* LISTEN 15588/pure-ftpd (ID tcp 0 0 192.168.1.16:40194 0.0.0.0:* LISTEN 15299/pure-ftpd (ID tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 839/dovecot tcp 0 0 192.168.1.16:40199 0.0.0.0:* LISTEN 15287/pure-ftpd (ID tcp 0 0 127.0.0.1:10023 0.0.0.0:* LISTEN 1090/postgrey --pid tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 1341/amavisd-new (m tcp 0 0 192.168.1.16:40201 0.0.0.0:* LISTEN 15950/pure-ftpd (ID tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 1182/master tcp 0 0 127.0.0.1:10026 0.0.0.0:* LISTEN 1341/amavisd-new (m tcp 0 0 127.0.0.1:10027 0.0.0.0:* LISTEN 1182/master tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 671/memcached tcp 0 0 192.168.1.16:40174 0.0.0.0:* LISTEN 13960/pure-ftpd (ID tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 839/dovecot tcp 0 0 192.168.1.16:40111 0.0.0.0:* LISTEN 15581/pure-ftpd (ID tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 839/dovecot tcp 0 0 192.168.1.16:40208 0.0.0.0:* LISTEN 15579/pure-ftpd (ID tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 1182/master tcp 0 0 192.168.1.16:40178 0.0.0.0:* LISTEN 13965/pure-ftpd (ID tcp 0 0 192.168.1.16:40180 0.0.0.0:* LISTEN 15323/pure-ftpd (ID tcp6 0 0 :::21 :::* LISTEN 13903/pure-ftpd (SE tcp6 0 0 :::53 :::* LISTEN 670/named tcp6 0 0 :::22 :::* LISTEN 822/sshd tcp6 0 0 ::1:631 :::* LISTEN 577/cupsd tcp6 0 0 :::25 :::* LISTEN 1182/master tcp6 0 0 ::1:953 :::* LISTEN 670/named tcp6 0 0 :::443 :::* LISTEN 756/apache2 tcp6 0 0 :::993 :::* LISTEN 839/dovecot tcp6 0 0 :::995 :::* LISTEN 839/dovecot tcp6 0 0 ::1:10024 :::* LISTEN 1341/amavisd-new (m tcp6 0 0 ::1:10026 :::* LISTEN 1341/amavisd-new (m tcp6 0 0 :::3306 :::* LISTEN 809/mysqld tcp6 0 0 :::110 :::* LISTEN 839/dovecot tcp6 0 0 :::143 :::* LISTEN 839/dovecot tcp6 0 0 :::8080 :::* LISTEN 756/apache2 tcp6 0 0 :::80 :::* LISTEN 756/apache2 tcp6 0 0 :::8081 :::* LISTEN 756/apache2 tcp6 0 0 :::465 :::* LISTEN 1182/master
sorry, got active/passive the wrong way around in my 1st post. active mode uses port 20, passive mode uses the ports you specify in the config file. just need to clear that up to avoid any possible confusion. and the server doesn't need to listen on port 20. in both modes, the client connects to the server on port 21. in active mode the client sends a PORT command telling the server what client port to connect to, and the server initiates a data channel connection FROM port 20 on the server, to the specified port on the client. this means the client side firewall as to allow inbound connections from the server ip with a source port of 20, which is seems is too hard for most customers to configure themselves , hence it's declining use.
any firewalls / nat / loadbalancing on or anywhere between your pc and the remote server could be causing the problem.
ok, my ispconfig works on oracle vm, i'll shutdown and take files to home to see wil it cause any problem with direct connection. Thanks for your time.
i found the problem. Problem cause of PfSENSE, when i move the virtual machine to my home (my pc at home connects internet directly) then ftp works without any problem, according to my research PfSENSE is blocking plain ftp connections,i send a ticket to PfSENSE to find out is there any solution for it,i'll publish solution here if i find it.
You need to set up a range of ports for passive FTP connections, and allow that same range of your firewall, and forward that same range to your server through any nat.
all necessary ports including passive ftp is forwarded to server (please see attached screenshot) when i check through ping.eu seems like 21&22 is accessible but server is not listening or responding to 40110 & 40210 and ftp client keep stucks at retrieving folder list. iptables -L output: Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- anywhere anywhere ufw-before-input all -- anywhere anywhere ufw-after-input all -- anywhere anywhere ufw-after-logging-input all -- anywhere anywhere ufw-reject-input all -- anywhere anywhere ufw-track-input all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- anywhere anywhere ufw-before-forward all -- anywhere anywhere ufw-after-forward all -- anywhere anywhere ufw-after-logging-forward all -- anywhere anywhere ufw-reject-forward all -- anywhere anywhere ufw-track-forward all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- anywhere anywhere ufw-before-output all -- anywhere anywhere ufw-after-output all -- anywhere anywhere ufw-after-logging-output all -- anywhere anywhere ufw-reject-output all -- anywhere anywhere ufw-track-output all -- anywhere anywhere Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-ns ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:netbios-dgm ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:netbios-ssn ufw-skip-to-policy-input tcp -- anywhere anywhere tcp dpt:microsoft-ds ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootps ufw-skip-to-policy-input udp -- anywhere anywhere udp dpt:bootpc ufw-skip-to-policy-input all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ufw-user-forward all -- anywhere anywhere Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-logging-deny all -- anywhere anywhere ctstate INVALID DROP all -- anywhere anywhere ctstate INVALID ACCEPT icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp parameter-problem ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ufw-not-local all -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere 239.255.255.250 udp dpt:1900 ufw-user-input all -- anywhere anywhere Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ufw-user-output all -- anywhere anywhere Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- anywhere anywhere ctstate INVALID limit: avg 3/min burst 10 LOG all -- anywhere anywhere limit: avg 3/min burst 10 LOG level warning prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- anywhere anywhere ADDRTYPE match dst-type LOCAL RETURN all -- anywhere anywhere ADDRTYPE match dst-type MULTICAST RETURN all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- anywhere anywhere limit: avg 3/min burst 10 DROP all -- anywhere anywhere Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- anywhere anywhere Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere ctstate NEW ACCEPT udp -- anywhere anywhere ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dptop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap2 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:mysql ACCEPT tcp -- anywhere anywhere tcp dpt:http-alt ACCEPT tcp -- anywhere anywhere tcp dpt:webmin ACCEPT tcp -- anywhere anywhere multiport dports 40110:40210 ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:mysql Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning prefix "[UFW LIMIT BLOCK] " REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- anywhere anywhere when i try to connect trhtough SFTP it returns Access Denied, but i can connect through SSH with the same user
FTP Client output: Status: Disconnected from server Status: Resolving address of gorselpackaging.com Status: Connecting to 176.236.135.163:21... Status: Connection established, waiting for welcome message... Status: Plain FTP is insecure. Please switch to FTP over TLS. Status: Logged in Status: Retrieving directory listing... Command: PWD Response: 257 "/" is your current location Command: TYPE I Response: 200 TYPE is now 8-bit binary Command: PASV Response: 227 Entering Passive Mode (176,236,135,163,157,7) Command: MLSD Error: Connection timed out after 20 seconds of inactivity Error: Failed to retrieve directory listing Status: Disconnected from server Status: Resolving address of gorselpackaging.com Status: Connecting to 176.236.135.163:21... Status: Connection established, waiting for welcome message... Status: Plain FTP is insecure. Please switch to FTP over TLS. Status: Logged in Status: Retrieving directory listing... Command: PWD Response: 257 "/" is your current location Command: TYPE I Response: 200 TYPE is now 8-bit binary Command: PASV Response: 227 Entering Passive Mode (176,236,135,163,157,14) Command: MLSD Error: Directory listing aborted by user
ok, i'm not familiar with the pfsense firewalls, but looking at ports.png, it looks like there's two separate rules, one for individual port 40110, and one for individual port 40210, when what you should have is one rule for ports 40110-40210, so that every port from 40110 to 40210 inclusive are open/port-forwarded. https://www.outsideopen.com/pfsense-asterisk/
ok once more it's definitely causing by pfsense,when i delete all specific port rules and add one rule as "forward all possible ports to the server" it started to work, what if i use it this way? is there any security problem with it?
If you have a firewall enabled on your server, it's not a big problem. But as @nhybgtvfr already pointed out, it seems that you have 2 rules which both apply to one port, so you don't have the whole range forwarded. So if you resolve this, you don't have to forward all ports. I don't use PfSense, but if you share a screenshot of the wizard where you create a new rule, we are probably able to help you out.
well the port settings on the screenshot look ok to me, not sure about the nat reflection part, but then again, I don't know the pfsense firewalls, so I don't know what the system default is anyway.
followed this article https://www.faqforge.com/linux/cont...ange-in-pure-ftpd-on-denian-and-ubuntu-linux/. Please see attached screenshots.
