Problems w/ WU-FTPD passive mode behind firewall

[Deepgloat]

I am at my wits end trying to configure WU-FTPD to work in passive mode behind a firewall. I am able to connect from the Internet to the WU-FTPD server, but when my client software (WS_FTP Pro for Windows v7.62) sends the PASV command, I get back a response that looks like this:

connecting data channel 12.20.144.xxx:65255

...which is shortly thereafter followed by:

connection timed out; the connection timed out while waiting for a response from the server

Here is the relevant part of my etc/ftpaccess file:

passive address 12.20.144.xxx 0.0.0.0/0
passive ports 0.0.0.0/0 65100 65500

12.20.144.xxx is my website's fixed IP address to the outside world, and the firewall is configured to forward incoming packets between 20-21 and 65100-65500 to the Red Hat 7.3 server that is running WU-FTPD.

It seems like the data channel (port 65255 in the example above) is falling into a black hole and isn't getting past the firewall, but I'm grasping here and am not sure what to try next. Any and all help greatly appreciated.

Scott Gammans
Ashburn, VA

 

[Deepgloat]

After posting the above message two days ago, I told some of my MIS friends about the problems I was having, and they all told me essentially the same thing: "Don't use wu-ftpd; it sucks!"

Rather than beat my head against the wall, I'm going to try getting vsftpd up and running instead. If I have any problems with that, I'll start another thread.

Many thanks for all the helpful replies to the wu-ftpd query.

 

[fluid11]

good idea, wu-ftpd does suck! Your problem above is a firewall issue though. I'm not that great with iptables to be honest, but I think you can use the ftp_conntrack module, or whatever its called to dynamically open the ports on your firewall for the FTP connections. I don't remember how to use it though.

ChrisP
RHCE, LPIC-1, CCNA, CNE, MCSE, +10 others

 

[thedaver]

If you are using a linux/IPTables-based firewall you MUST insmod the required ftp module(s).

insmod ip_conntrack_ftp
insmod ip_nat_ftp

Otherwise, all sorts of stupid stuff happens with ANY ftp product.

Your friends' advice to use 'vsftpd' is VERY GOOD.

"Surfinbox Shares" - A fundraising program that builds revenue from dialup Internet users.

http://www.surfinbox.com/shares/

 

[Deepgloat]

Well, I installed vsftpd and things still didn't work. Then I thought to check /etc/sysconfig/ipchains. D'OH! No entries for port 20 or for the high ports I was using for PASV. I added the following two lines:

-A output -s 0/0 -d 0/0 20 -p ftp -y -j ACCEPT
-A output -s 0/0 -d 0/0 65100:65500 -p ftp -y -j ACCEPT

and suddenly I was able to get FTP working *locally* (i,e., inside the firewall FTP-ing to localhost), but still no joy FTP-ing from the Internet through the gateway/firewall between my Linux server and the outside world. Passive mode still times out and PORT commands wind up with a "425-Failed to establish connection" error.

From what I've gleaned searching through the manuals, since the gateway uses NAT, I believe that I need to enable IP forwarding on the RH server, but I'm really stuck on how to get that done. Since I now seem to have a completely different problem from configuring my FTP server, I'm going to start another thread.