pure-ftpd gives wrong ip for passive connection in TLS mode

Question

I am setting up our ftp server ( pure-ftpd-1.0.21-r1 ) to use TLS/SSL. It works when I don't use TLS.

Started with command options:

-S 21 -c 30 -C 10 -B -k 90% -A -R -Z -p 49152:65534 -U 013 -s --tls=1

.

Response:   230 OK. Current restricted directory is /
Command:    SYST
Response:   215 UNIX Type: L8
Command:    FEAT
Response:   211-Extensions supported:
Response:    EPRT
Response:    IDLE
Response:    MDTM
Response:    SIZE
Response:    REST STREAM
Response:    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
Response:    MLSD
Response:    TVFS
Response:    ESTP
Response:    PASV
Response:    EPSV
Response:    SPSV
Response:    ESTA
Response:    AUTH TLS
Response:    PBSZ
Response:    PROT
Response:   211 End.
Status: Connected
Status: Retrieving directory listing...
Command:    PWD
Response:   257 "/" is your current location
Command:    TYPE I
Response:   200 TYPE is now 8-bit binary
Command:    PASV
Response:   227 Entering Passive Mode (76,65,xxx,xxx,228,146) #last octets removed to protect the guilty
Command:    MLSD
Response:   150 Accepted data connection
Response:   226-ASCII
Response:   226-Options: -l 
Response:   226 54 matches total
Status: Directory listing successful
Status: Disconnected from server

When I use TLS:

Response:   220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
Response:   220-You are user number 4 of 30 allowed.
Response:   220-Local time is now 09:19. Server port: 21.
Response:   220-IPv6 connections are also welcome on this server.
Response:   220 You will be disconnected after 15 minutes of inactivity.
Command:    AUTH TLS
Response:   234 AUTH TLS OK.
Status: Initializing TLS...
Status: Verifying certificate...
Command:    USER john
Status: TLS/SSL connection established.
Response:   331 User john OK. Password required
Command:    PASS ********
Response:   230-User john has group access to:  svn      anonymou proftpd  powercor john    
Response:   230- users    usb      ftp
Response:   230 OK. Current restricted directory is /
Command:    SYST
#....same as above
Response:   200 TYPE is now 8-bit binary
Command:    PASV
Response:   227 Entering Passive Mode (192,168,15,2,198,194)
Status: Server sent passive reply with unroutable address. Using server address instead.
Command:    MLSD
Error:  Connection timed out
Error:  Failed to retrieve directory listing

Answer 1

My guess is that your FTP server is behind a NAT firewall, and that you've got the ip_conntrack_ftp helper module (or equivalent) running on the firewall device. Basically, this module scans the data stream looking for instances of the internal IP address, and rewrites them to the external IP address. It can't do this for TLS-secured FTP connections, though, because it can't decrypt the packets in-flight to find the IP address (generally considered a good thing).

Your options are:

• Use the -P option, "Force the specified IP address in reply to a PASV/EPSV/SPSV command."
• Get rid of the NAT

Answer 2

You have to specify masquerade IP on the passive command..

right now your passive command returns 192,168,15,2 (which is a private IP and will not work over public internet connections)

• '-P ': Force the specified IP address in reply to a PASV/EPSV/SPSV command. If the server is behind a masquerading (NAT) box that doesn't properly handle stateful FTP masquerading, put the ip address of that box here. If you have a dynamic IP address, you can put the public host name of your gateway, that will be resolved every time a new client will connect.