• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

FTP client failed to retrieve directory listing

c00kie

Active Member


Messages: 178

#1
I'm using FileZilla to log in to my FreeBSD VPS server:

Code:
Status:	Connecting to 1.2.3.4:21...
Status:	Connection established, waiting for welcome message...
Response:	220- Login to the FTP service
Response:	220 demo.mydomain.com FTP server (Version 6.00LS) ready.
Command:	USER user
Response:	331 Password required for user.
Command:	PASS ********
Response:	230- Thanks, you are now logged in to the FTP server
Response:	230 User user logged in.
Status:	Connected
Status:	Retrieving directory listing...
Command:	PWD
Response:	257 "/usr/home/user" is current directory.
Command:	TYPE I
Response:	200 Type set to I.
Command:	PASV
Response:	227 Entering Passive Mode (1,2,3,4,207,32)
Command:	LIST
Error:	Connection timed out
Error:	Failed to retrieve directory listing
/etc/ftpmotd and /etc/ftpwelcome are set up.

My firewall is set to allow connections to port 21.

Why won't the GUI display the directory listing?
 

usdmatt

Daemon

Thanks: 419
Messages: 1,210

#2
Welcome to the world of trying to firewall FTP...

Port 21 is only used for the control channel, data (such as directory listings) are sent over a separate connection to a random port.

As you are using passive mode your client is trying to connect to the server on a different port, as specified here in your log:

Code:
Command:	PASV
Response:	227 Entering Passive Mode (1,2,3,4,207,32)
The client sends the 'PASV' command and the server is telling the client to connect back to 1.2.3.4 on port 207,32 (split into two octets). It's actually (207*256)+(32)=53024.

Obviously this port is blocked so the data connection doesn't work. You could try setting Filezilla (good client choice :)) to use active mode (which works the other way round) and hope the router your end has the ability to automatically allow the connection back in, or you can stick with passive mode and open all the ports on your server that FTP might use.

According to this post - http://forums.freebsd.org/showthread.php?t=11460 - the ports are controlled by the net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast sysctls so you can open just the range specified in these. I would be wary of reducing this range too much as I'm not sure what parts of FreeBSD use them but if you're really against opening a bunch of high ports, you could always install an FTP server that allows you to set the passive port range and choose a much more restrictive range. You should only really need as many ports in the range and you may have simultaneous data connections.
 

c00kie

Active Member


Messages: 178

#3
Hi, and thanks

usdmatt said:
You could try setting Filezilla (good client choice :)) to use active mode (which works the other way round) and hope the router your end has the ability to automatically allow the connection back in,
Doesn't work :), returns a critical file transfer error so my router must be preventing it from working.

According to this post - http://forums.freebsd.org/showthread.php?t=11460 - the ports are controlled by the net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast sysctls so you can open just the range specified in these.

Could you advise on this a little more. From the reference above

net.inet.ip.portrange.hifirst
net.inet.ip.portrange.hilast

Where do I make these changes? Which file do I edit? Is it this file: /etc/sysctl.conf?

I don't want to make a syntax error, how do I add the entries?

This is purely a guess:

Code:
# $FreeBSD: release/9.0.0/etc/sysctl.conf 112200 2003-03-13 18:43:50Z mux $
#
#  This file is read when going to multi-user and its contents piped thru
#  ``sysctl'' to adjust kernel values.  ``man 5 sysctl.conf'' for details.
#

# Uncomment this to prevent users from seeing information about processes that
# are being run under another UID.
#security.bsd.see_other_uids=0

net.inet.ip.portrange.hifirst=49152
net.inet.ip.portrange.hilast=65535
Other files related to FTP in FreeBSD I've noticed:

/etc/pam.d/ftpd
/etc/rc.d/ftpd
/usr/libexec/ftpd
/usr/libexec/tftpd
 

usdmatt

Daemon

Thanks: 419
Messages: 1,210

#4
I'm pretty sure you've got the entries in sysctl.conf right. If it's wrong then the settings in that file (which is just those two anyway) won't get applied which isn't the end of the world.

If it were me I would take a quick look at the man page as suggested at the top of the file to make sure.
 

c00kie

Active Member


Messages: 178

#5
usdmatt said:
I'm pretty sure you've got the entries in sysctl.conf right.
All's well, and FTP is now listing directories. Another way would be to open up high value ports in one's firewall configuration maybe?

Thanks for the tutorial on FTP though, really informative. :)
 

mroussin51

Member


Messages: 60

#7
filezilla supports sftp

Hello there;

I thought one might just use sftp from within filezilla. I am not an expert but I think it is more secure since it is using your ssh key for authentication and it only requires one port.

regards,

mroussin51
 

c00kie

Active Member


Messages: 178

#8
mroussin51 said:
Hello there;

I thought one might just use sftp from within filezilla. I am not an expert but I think it is more secure since it is using your ssh key for authentication and it only requires one port.

regards,

mroussin51
Yes, I found that. Using SFTP bypasses all the afore-mentioned issues, passive mode, random ports and even prevents so-called 'man in the middle attacks'.

thanks again.
 

niblick

New Member


Messages: 1

#9
File Sync

We had a similar issue and it turns out to have been an issue with our file sync program not replicating the new folder to its load balanced partner.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Thanks: 5,503
Messages: 25,687

#11
Passive FTP usually works unless the server is behind a firewall. Active FTP only works when the client is NOT behind a firewall. If both the server and the client are behind a firewall none will work unless either side set up special firewall "helpers" to work around the random port selection of the data channel.