3

I've set up a self signed certificate in FileZilla server and enabled FTP over TLS. When I connect from the client FileZilla, I am able to authenticate, 1-2 time per day i am get directory listing ...

Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Status: Directory listing of "/" successful

But remaining time cannot get a directory listing

Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is current directory.
Command: TYPE I
Response: 200 Type set to I
Command: PORT 192,168,1,119,88,109
Response: 200 Port command successful
Command: MLSD
Response: 150 Opening data channel for directory listing of "/"
Response: 425 Can't open data connection for transfer of "/"
Error: Failed to retrieve directory listing
Castaglia
  • 3,239
  • 3
  • 19
  • 40
Priyanka Zalavadiya
  • 31
  • 1
  • 2
  • It's possible that your remote ftp server has a firewall without passive ports open, and server ftp not properly configured for passive ports. The combination remote server and your connection, you can not make it work properly. Try to disable passive mode in your FTP program or ask your system administrator to properly configure passive mode for FTP and firewall. – abkrim Apr 30 '16 at 08:35
  • 1
    Your failed directory command used the `PORT` command, which means an active data transfer. Notice as well that your FTP client sends its IP address (192.168.1.119) in that `PORT` command; unless your FTP server is on a LAN, that 192.168.x.x address, being a private network address, will be unreachable by definition. You will need to use passive data transfers, or configure your client to provide a public IP address. This site is also a good reference: http://slacksite.com/other/ftp.html. – Castaglia Apr 30 '16 at 15:56

1 Answers1

3

FTP as a protocol is a bit of an odd duck. It uses two TCP connections, rather than just the one most protocols use. You have port 21 the command and login connection and a second connection, the data connection.

With passive FTP the second connection is to a randomly assigned available TCP port above 1024.

You problems seem to indicate you don't have that second port open in your firewall.

Normally with a reasonably intelligent firewall that second port is opened automatically. Since FTP is clear text protocol your firewall can scan the traffic on the command connection on port 21. It will recognise the PASV port that will be assigned and open up the firewall dynamically and allow traffic between that particular client and the PASV port used in that session.

Since you rightfully use TLS encryption that doesn't work. With FTPS the firewall can't snoop on the COMMAND channel any more.

Solution: Fix the PASV port(-range):

One solution is to configure your FTP server to use a small range of ports, or just a single port and create a firewall rule to open those ports. That is explained in the FileZilla documentation :

General settings ==> Passive Mode Settings ==> Custom port range

https://wiki.filezilla-project.org/File:Settings_passivemode_FZServer.png

And then open that port range in your firewall.

In addition if you're behind a NAT router, you have a second issue, namely that the PASV response not only includes the port number, but also the IP-address of the FTP server.

If you would still be using FTP in clear text then a NAT router would normally be able to rewrite that internal IP-address response with the correct external IP-address.

Again because you use FTP over TLS that doesn't work anymore.

Fortunately FileZilla also has a solution for that, it can correct for that and advertise the external/public IP-address rather than the actual (internal) IP-address.

HBruijn
  • 72,524
  • 21
  • 127
  • 192