Passive Ports[edit | edit source]
If you get a timeout error similar to the one below:
18:07:13 Response: 331 User X OK. Password required 18:07:13 Command: PASS ***************************** 18:07:13 Response: 230 OK. Current restricted directory is / 18:07:13 Status: Server does not support non-ASCII characters. 18:07:13 Command: PBSZ 0 18:07:13 Response: 200 PBSZ=0 18:07:13 Command: PROT P 18:07:13 Response: 200 Data protection level set to "private" 18:07:13 Status: Connected 18:07:13 Status: Retrieving directory listing... 18:07:13 Command: PWD 18:07:13 Response: 257 "/" is your current location 18:07:13 Command: TYPE I 18:07:13 Response: 200 TYPE is now 8-bit binary 18:07:13 Command: PASV 18:07:13 Response: 227 Entering Passive Mode (96,30,20,226,182,31) 18:07:13 Command: MLSD 18:07:33 Error: Connection timed out 18:07:33 Error: Failed to retrieve directory listing
You most likely do not have passive mode enabled on the server side. If you use Wireshark or tcpdump, you will see the client attempt to create a new connection on the passive data ports (eg: SYN client:1517 -> server:46623) with no response from the server before failing after two TCP retransmission packets.
To fix this with pure-ftpd, make the following changes.
Edit /etc/pure-ftpd.conf so that it has the following line:
PassivePortRange 30000 50000
Have the firewall accept this port range:
# iptables -t filter -I INPUT -p tcp --dport 30000:50000 -j ACCEPT