Active1 year, 4 months ago
Something is really not working here. I have the following error in using FileZilla to connect to a remote machine running
vsftpd
:The client (winscp) is using active, but I also tried passive with the same results, 'Could not retrieve directory listing'. Also the router is an Asus RT-N16 running the latest version of Tomato.
I am trying to set up FTP services on 3 machines behind a residential ISP firewall. All are Ubuntu 12.04 Server LTS, and I am restricted from using port 21 externally at the remote site.
Well.. Ok, I confess, it's myself who is imposing the restriction. I just wanted to sound like I was working for a real company. Anyway, only 1 of the 3 systems could have been assigned to 21, so it would still be an issue.
I have tried the solutions for adding 'pasv_...' lines, but I still cannot get past the LIST stage of connecting.
So, having failed that, what might the problem be?
I read on this site that I need to forward ports 20 and 21. Right now the remote sites have ports like 10000, 11000, 12000 forwarded to the internal port 21 on each of the systems. Should I forward some additional ports in to 20? it doesn't make sense because that port isn't even open, vsftpd is only listening on 21.
![Secure Secure](http://www.coreftp.com/screens/filelist2.gif)
All I want is for a successful ftp connection through these forwarded ports, I am frustrated because I have successfully forwarded for services like SSH, apache2, etc and I don't get what is broken here.
thx Joren for correcting my formatting!
EDIT: I have been messing around with my testing VPS which is directly exposed to the internet, I installed vsftpd just to see what happens, and the output of 'netstat -tuna' shows that a successful connection from my filezilla client looks like this:
Note: the FTP server at my VPS also didn't work at first, due to a completely unrelated issue involving virtualized environments ('500 OOPS: priv_sock_get_cmd'). Read: I am starting to see that Ubuntu's vsftpd doesn't work 'out-of-the-box' like apache2 and sshd do, for any frustrated novice sysadmins out there, don't think you're stupid if it isn't working first thing...
My testing VPS doesn't have a firewall, so all ports are directly available for access by the FTP daemon. After running this test, I see that it is possible that this secondary connection is being blocked at the remote site where I'm having issues (random ports such as 46403).
At least now I have confirmed that there are no NAT issues with my Filezilla, because clearly filezilla is opening random ports and talking with my VPS ok.
The one thing that makes no sense, is the config 'connect_from_port_20=YES' is set on my VPS FTP config, yet I can't see any connections using port 20!!! This is why I don't even know if this port needs to be forwarded behind a firewall.
One of my knowledge deficiencies is I don't even know what port 20 does, and I can't learn through experience because I've never seen any indication the port is ever used duing connecting, downloading or uploading.
OK, I found some problems (there's clearly more then one thing wrong) - This has to do with port forwarding.
Suspect original problem (before customizing vsftpd.conf)
- Filezilla initially connects to remote port 10000, > goes to 21 on internal FTP server (ok)
- FTP server opens a random port (NOT 20) like 45678, but the router obviously doesn't have a rule for this randomly assigned port. It sends a message telling filezilla to also connect to 45678.
- Filezilla client opens up its own port on my end behind NAT(ok)
- Filezilla sends connection request to 45678, but the remote router doesn't accept the connection, as there is no forwarding rule for that port.
Now, the problem(s) I created:
- Filezilla connects to remote port 10000, > goes to 21 on internal FTP server (ok)
- FTP server opens the only port it can, 10000, [stupid moment] because I have that port in my head associated with that system. But 10000 is actually the WAN side counterpart for 21 on this system. Server sends a message for FileZilla to connect to 10000, and listens internally on 10000
- Filezilla client opens up its own random port on my end (ok)
- Filezilla tries the secondary connection at port 10000, the remote router deflects it to port 21 again where it must be ignored or lost, while the FTP server waits for a connection to internal port 10000 that never arrives. (fail)
Second problem I created: I tried to bind port 21 this time, but I think that messed up filezilla.
- Filezilla connects to remote port 10000, > goes to 21 on internal FTP server (ok)
- FTP server opens port 21 (or maybe fails because 21 is already used) if it succeeded, it sent a message for filezilla to connect to port 21.
- Filezilla client opens up its own random port on my end (ok)
- Filezilla sends a request for LIST to 21, which the router is not going to accept...(fail)
Conclusion: as long as the port is being changed by a router, the FTP server will never be able to tell the client to connect to the right port. If you try to use the internal port, the client will run up against the router. If you try to specifiy the external port, the router will deflect the incoming connection to a different number -- which the server was not expecting.
I will test a solution and report back here with the results.
I think, because the FTP server protocol appears to tell the client which port to connect to, that secondary connection MUST have the same external port number as internal.
I will call this a 'secondary connection' and I think it has something to do with the port 20 thing that I don't understand.
So, I will contact the remote site and have an additional port forwarded directly, so the FTP server can open a connection internally, and the client will be able to send a connection request to that exact port number.
New plan:
(note: the '%' is meant to show the port getting changed by the remote router.)
Community♦
ajhcasualajhcasual
5 Answers
My router (fritz.box, germany) had to be configured unlocking the higher ports in same wa outgoing as ingoing!(above: this 'pasv_min.. and ...max' here inserted/prescribed by debian-vsftpd):
Adding a range of unblocked ports in the Fritz!Box-Router with the corresponding button:
'Other Applications' -> 'Portokoll': TCP, von Port: 13450, bis Port: 13500 (or high-ports within a range ~50), 'an Computer': RasPi, 'an IP_Adresse': (outgreyed, the internal LAN-IP-Adress for my 'RasPi' given by the fritz.box-router) -> and here it comes: 'an Port' (=the same range!): 13450, 'bis Port': 13450, and this is working fine with vsftpd and FTPS (AUTH TLS / SSL-Tranfer with OpenSSL + strong DES-CBC3-SHA cipher)...
'Other Applications' -> 'Portokoll': TCP, von Port: 13450, bis Port: 13500 (or high-ports within a range ~50), 'an Computer': RasPi, 'an IP_Adresse': (outgreyed, the internal LAN-IP-Adress for my 'RasPi' given by the fritz.box-router) -> and here it comes: 'an Port' (=the same range!): 13450, 'bis Port': 13450, and this is working fine with vsftpd and FTPS (AUTH TLS / SSL-Tranfer with OpenSSL + strong DES-CBC3-SHA cipher)...
This will forward the right ports and connect requests from and to my little RasPi-'Server' (behind the F.B.-NAT) to the incomig/outgoing external IP-request ON THE SAME RANGE OF HIGH(ER)-PORTS, like right-connected 'cables' to the same ports on the internal part...
A possible vsftp-config-file '/etc/vsftpd.conf':
Braiam54.3k2121 gold badges144144 silver badges230230 bronze badges
NorbertNorbert
In /etc/vsftpd.conf, you should be providing a range of ports, at least 2 or 3, with the pasv_min_port and pasv_max_port settings.
When you connect to vsftpd in passive mode with the FileZilla client, vsftpd will respond back with the data connection on another randomly selected port within the range given by pasv_min_port and pasv_max_port. If you're trying to do everything on one port, that's probably going to cause trouble.
If you are working with port 12001, try:
pasv_min_port=12001
pasv_max_port=12005
pasv_min_port=12001
pasv_max_port=12005
Brian Grogan Jr.Brian Grogan Jr.
For me the troube was not the config-file 'vsftpd.conf' on the Raspberry-Pi FTP-(mini-)Server (with his software: vsftpd) but ON MY House-ROUTER with it's firewall not letting pass-through the 'signals', telling me on my Windows FTPS-Program (Im not using Filezilla but CoreFTP) -> '192,168,178,21,71,27 -> 500 Illegal PORT command.'So, freeing manually ON MY ROUTER not only 'Port 21' but a relative much higher port-unblocking-range (here only f.you as example, the numbers can be also much higher range, like 35000, 40000 or even more...) to let pass the incoming/outgoing signals through one of this ports randomly choosen from the software through the internal firewall of the router, (my RasPi is 'behind' them on my LAN!), like following (on the Router):
So both, incomig and outgoing-ports ON THE ROUTER now are THE SAME (high range) like cables connecting ROUTER-internally with 'same-number-connectors'(=ports).
norbertnorbert
Step 1 - Turn off the Windows Firewall(Restart Must)
Setp 2 - Open Filezilla Clent and change the Encryption type File -> Site Manager ->Encryption ->Only Use Plain FTP
ChanduChandu
In my case our firewall blocked all passive FTP ports, when we tried FTP using active mode it worked. We had only opened port 21 on our firewall.
Do check if this is the case for you, change your FTP client setting of
transfer mode
to active
and try connecting.When our FTP client was on
automatic
or passive
mode it would change to passive
mode after sending a LIST
request and that caused connection to be broken.cjohanssoncjohansson
Not the answer you're looking for? Browse other questions tagged vsftpd or ask your own question.
Active3 years, 1 month ago
I am trying to set up a local FTP server in my house. Whenever I connect to the account on the computer that hosts the server, everything works, but when I try connecting on another computer, the directory listing fails even though the account connection is successful. I have allowed port 21 TCP and UDP through the host's firewall and have added FileZilla Server to the list of programs allowed to communicate. How can I solve this?
Martin Prikryl12.4k44 gold badges3838 silver badges9494 bronze badges
DavidBDavidB2,6252020 gold badges5454 silver badges8383 bronze badges
5 Answers
While this question is old, there's no really comprehensive answer. So I'm adding one.
In the passive FTP mode (the most common mode nowadays), the FTP server listens on port 21 for an FTP control connection. But for all data transfers, including directory listings, it listens on an additional port. The port is picked out of a configured port range.
If you open only the 21 control port on the firewall, you get the described behavior. You can connect, but you cannot list directories or transfer files.
For details, see my article on Network configuration for passive FTP mode.
You have to go to Control Panel > System and Security > Windows Firewall > Advanced Settings > Inbound Rules > New Rule and add a new inbound rule for data port range your FTP server is using.
The port range that the FileZilla FTP server is using, is configured in Edit > Settings > Passive mode settings > Use custom port rage. You can configure a narrow range (like 10 ports), to limit a number of opened ports. You should use port numbers 1024 and above (up to 65535).
Martin PrikrylMartin Prikryl12.4k44 gold badges3838 silver badges9494 bronze badges
FTP needds more than port 21 (and it does not need UDP). The ports for the data connections are dynamic. If the server is behind a firewall you should try active FTP mode, if the client is behind firewall you should try passive mode. If both are behind restrictive firewalls which are not able FTP as a special protocol you are out of luck.
Steffen UllrichSteffen Ullrich
Try changing the Transfer mode to 'Active'.
To address this FTP error, follow below steps:
- Open Filezilla, go to Edit -> Settings
- Click on Connection -> FTP: Choose Active
- Click on Connection -> FTP -> Active Mode: Select “Ask your operating system for the external IP address”
- Click on Connection -> FTP -> Passive Mode: Choose Fall Back to Active Mode
- See more at: http://technowide.net/2014/12/30/ftp-error-fail-to-get-directory-listing/#sthash.yZTFxdpt.dpuf
Follow steps in url: FTP error “Failed to retrieve directory listing”
fixer123422.2k1414 gold badges5555 silver badges8989 bronze badges
Sachin DhirSachin Dhir
It turns out that it was not working because I did not have a range of ports set for the directory listing to pass through. Now that I have configured it, everything is working smoothly.
DavidBDavidB2,6252020 gold badges5454 silver badges8383 bronze badges
Or create an account by opening up site manager.
click new site in host use your host name.Choose logon type as normal.provide your username and password.
Protocol use ftpand encryption : only use palin ftp
Ashutosh Narayan JhaAshutosh Narayan Jha