Throx

If you have an apf firewall setup on your linux box and running vsftpd as your ftp server. You might have problem when accessing to your ftp server via ftp client. Most of the ftp client transferring data via passive mode which used a big range of ports which usually blocked by your firewall by default. Users will get an error message and wont be able to get the dir listings “LIST”.

Example:

Command: LIST
Error: Transfer channel can’t be opened. Reason: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Error: Could not retrieve directory listing

There is a way to overcome this matter, first is to define a range of ports will be used for passive mode in vsftpd config file. Secondly, open the defined tcp port in your firewall setting.

1. Create vsftpd passive ports

#vi /etc/vsftpd/vsftpd.conf

Scroll down to the bottom and add the followings lines:

pasv_enable=YES
pasv_max_port=9000
pasv_min_port=9050

pasv_max_port=9000
pasv_min_port=9050

Save the config file and restart vsftpd

#service vsftpd restart
Shutting down vsftpd: [ OK ]
Starting vsftpd for vsftpd: [ OK ]

2. Firewalls rules (APF Firewall)

Open your apf firewall configuration file:

#vi /etc/apf/conf.apf

Add the ports range of 9000 to 9050 into IG_TCP_CPORTS

IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,……,9000_9050″

Save it and restart your apf firewall

#apf -r

Now you should be able to access your ftp server in passive mode.