Passive Ports[edit | edit source]

If you get a timeout error similar to the one below:

18:07:13	Response:	331 User X OK. Password required
18:07:13	Command:	PASS *****************************
18:07:13	Response:	230 OK. Current restricted directory is /
18:07:13	Status:	Server does not support non-ASCII characters.
18:07:13	Command:	PBSZ 0
18:07:13	Response:	200 PBSZ=0
18:07:13	Command:	PROT P
18:07:13	Response:	200 Data protection level set to "private"
18:07:13	Status:	Connected
18:07:13	Status:	Retrieving directory listing...
18:07:13	Command:	PWD
18:07:13	Response:	257 "/" is your current location
18:07:13	Command:	TYPE I
18:07:13	Response:	200 TYPE is now 8-bit binary
18:07:13	Command:	PASV
18:07:13	Response:	227 Entering Passive Mode (96,30,20,226,182,31)
18:07:13	Command:	MLSD
18:07:33	Error:	Connection timed out
18:07:33	Error:	Failed to retrieve directory listing

You most likely do not have passive mode enabled on the server side. If you use Wireshark or tcpdump, you will see the client attempt to create a new connection on the passive data ports (eg: SYN client:1517 -> server:46623) with no response from the server before failing after two TCP retransmission packets.

To fix this with pure-ftpd, make the following changes.

Edit /etc/pure-ftpd.conf so that it has the following line:

PassivePortRange   30000 50000

Have the firewall accept this port range:

# iptables -t filter -I INPUT -p tcp --dport 30000:50000 -j ACCEPT