[solved] Pureftpd not working

Discussion in 'Installation/Configuration' started by Cris Kolkman, Jun 20, 2017.

  1. Cris Kolkman

    Cris Kolkman Member

    Hello,

    I installed a new server using this instructions:
    https://www.howtoforge.com/tutorial...8-4-jessie-apache-bind-dovecot-ispconfig-3-1/

    But FileZilla is not connecting to the pure-ftpd-mysql server.
    In FileZilla I get this:
    Code:
    Status:   Resolving address of domain.com
Status:   Connecting to 1.2.3.4:21...
Status:   Connection established, waiting for welcome message...
Status:   Initializing TLS...
Error:   Server sent unsorted certificate chain in violation of the TLS specifications
Status:   Verifying certificate...
Status:   TLS connection established.
Command:   USER username
Response:   331 User username OK. Password required
Command:   PASS ***********
Response:   230 OK. Current restricted directory is /
Command:   OPTS UTF8 ON
Response:   200 OK, UTF-8 enabled
Command:   PBSZ 0
Response:   200 PBSZ=0
Command:   PROT P
Response:   200 Data protection level set to "private"
Status:   Logged in
Status:   Retrieving directory listing...
Status:   Server sent passive reply with unroutable address. Using server address instead.
Command:   MLSD
Error:   The data connection could not be established: ECONNREFUSED - Connection refused by server
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing
    And in the server logs I see:
    Code:
    Jun 20 16:15:24 mailserver pure-ftpd: ([email protected]) [INFO] New connection from 1.2.3.4
Jun 20 16:15:24 mailserver pure-ftpd: ([email protected]) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-GCM-SHA384, 256 secret bits cipher
Jun 20 16:15:24 mailserver pure-ftpd: ([email protected]) [INFO] username is now logged in
Jun 20 16:15:44 mailserver pure-ftpd: ([email protected]) [INFO] New connection from 1.2.3.4
Jun 20 16:15:44 mailserver pure-ftpd: ([email protected]) [INFO] SSL/TLS: Enabled TLSv1/SSLv3 with AES256-GCM-SHA384, 256 secret bits cipher
Jun 20 16:15:44 mailserver pure-ftpd: ([email protected]) [INFO] username is now logged in
Jun 20 16:17:44 mailserver pure-ftpd: ([email protected]) [INFO] Logout.
Jun 20 16:18:05 mailserver pure-ftpd: ([email protected]) [INFO] Logout.
    What could be the problem here?
     
    Cris Kolkman, Jun 20, 2017
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Jun 20, 2017
    #2
  3. Cris Kolkman

    Cris Kolkman Member

    Cris Kolkman, Jun 20, 2017
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Then you might have to set the passive IP as well like this:

    echo "1.2.3.4" > /etc/pure-ftpd/conf/ForcePassiveIP

    where 1.2.3.4 is your external IP address. Then restart pure-ftpd-mysql
     
    till, Jun 20, 2017
    #4
  5. Cris Kolkman

    Cris Kolkman Member

    @till Still no connection available:

    Code:
    Response:   227 Entering Passive Mode (1,2,3,4,196,31)
Command:   MLSD
Error:   The data connection could not be established: ECONNREFUSED - Connection refused by server
Error:   Connection timed out after 20 seconds of inactivity
Error:   Failed to retrieve directory listing
     
    Cris Kolkman, Jun 20, 2017
    #5
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    This is either a firewall issue, where your passive port range is not allowed (an external firewall and/or the ftp server itself), or if you are using NAT, it could also be that your passive port range is not forwarded from the public to private addr correctly.
     
    Jesse Norell, Jun 20, 2017
    #6
  7. Cris Kolkman

    Cris Kolkman Member

    Hello @Jesse Norell I wish it was that easy.
    It should be all configured correctly in pfSense and the server firewall.
     
    Cris Kolkman, Jun 20, 2017
    #7
  8. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Does passive ftp work from another machine inside your pfSense firewall (ie. on the same subnet as the server)?

    A 'connection refused' means your client is getting a tcp RST back on it's connection attempt - you could run tcpdump on the server and determine where that's happening. If the server sees the connection attempt for the passive port and sends back an RST, most likely pfSense is not the problem; if the server never sees the SYN for the passive connection, I'd start looking at pfSense.

    Actually you can run tcpdump right on pfSense too, which would let you watch the traffic on both sides to determine where the problem comes in. I've had issues with the ftp helpers in various configurations in the past, but ensuring your passive port range is open to the world should fix that. Do you use NAT or just a public IP? (if using NAT, pay attention to the ip addrs in your packet dumps too and see if anything funny happens)
     
    Jesse Norell, Jun 20, 2017
    #8
    Cris Kolkman likes this.
  9. Cris Kolkman

    Cris Kolkman Member

    @Jesse Norell tested it on the local subnet with direct FTP connection to the server and that is working, so probably something wrong in pfSense.
    I'll have to test that now :(
     
    Cris Kolkman, Jun 21, 2017
    #9
  10. Cris Kolkman

    Cris Kolkman Member

    I did a packet capture in pfSense, on the external IP address but I only see connections to port 21 on the external IP.
    Or am I missing something?

    Code:
    08:57:47.835748 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 0
08:57:47.836010 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 0
08:57:47.868291 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 0
08:57:47.869496 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 320
08:57:47.904432 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 10
08:57:47.904974 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 0
08:57:47.904986 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 18
08:57:47.941273 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 248
08:57:47.941959 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 1300
08:57:47.941965 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 1300
08:57:47.941974 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 1300
08:57:47.941988 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 776
08:57:47.982573 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 0
08:57:47.983056 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 0
08:57:47.989531 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 523
08:57:47.989635 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 6
08:57:47.989776 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 45
08:57:47.989947 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 0
08:57:48.000445 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 242
08:57:48.059423 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 48
08:57:48.059924 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 74
08:57:48.094361 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 47
08:57:48.098927 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 72
08:57:48.136067 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 43
08:57:48.136406 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 52
08:57:48.180327 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 37
08:57:48.180887 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 41
08:57:48.227037 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 37
08:57:48.227367 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 73
08:57:48.277331 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 34
08:57:48.277890 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 63
08:57:48.309017 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 37
08:57:48.309383 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 59
08:57:48.344497 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 35
08:57:48.344842 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 82
08:57:48.374882 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 35
08:57:48.414826 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 0
08:58:08.567503 IP CLIENT_IP.41576 > SERVER_IP.21: tcp 0
08:58:08.573876 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 0
08:58:08.574341 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 0
08:58:08.606852 IP SERVER_IP.21 > CLIENT_IP.41576: tcp 0
08:58:08.608620 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 0
08:58:08.610319 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 320
08:58:08.642084 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 10
08:58:08.642321 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 0
08:58:08.642331 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 18
08:58:08.675285 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 248
08:58:08.675795 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 1300
08:58:08.675799 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 1300
08:58:08.675815 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 1300
08:58:08.675821 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 776
08:58:08.708437 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 0
08:58:08.708849 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 0
08:58:08.716738 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 523
08:58:08.716827 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 6
08:58:08.717130 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 45
08:58:08.717296 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 0
08:58:08.727294 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 242
08:58:08.777409 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 48
08:58:08.777772 IP SERVER_IP.21 > CLIENT_IP.59674: tcp 74
08:58:08.807612 IP CLIENT_IP.59674 > SERVER_IP.21: tcp 47
     
    Cris Kolkman, Jun 21, 2017
    #10
  11. Cris Kolkman

    Cris Kolkman Member

    By the way:

    Strange thing is that I also have a Windows Server running FileZilla server, also with passive ports in the same network (other external IP than the pure-ftpd server).
    This FTP server is running fine.
     
    Cris Kolkman, Jun 21, 2017
    #11
  12. Cris Kolkman

    Cris Kolkman Member

    Solved:

    Okay this is quite stupid and just dumb of me to only think about this now...
    I was connected to my work VPN (need this @ work) but the connection to the passive ports are blocked when using the VPN.
    Turning off the VPN solved the problem for me...
     
    Cris Kolkman, Jun 21, 2017
    #12
    Tuumke and Jesse Norell like this.

Share This Page