4 Replies Latest reply: Nov 16, 2013 7:42 PM by d00dbro
d00dbro Level 1 Level 1 (55 points)

Whenever anyone tries to connect and log in via FTP to my server, it delays for a minute then fails. But it works using the local IP address of the server. This is my setup:

 

FTP enabled with default settings and everything, maximum of 50 users at a time. There are zero now.

Port 21 open on the firewall, but I tried disabling the firewall just in case.

Router (AEBS) has port 21 open to the WAN and forwards it to port 21 on the server.

AFP and such are also enabled and work fine over WAN.

 

Details about what happens when someone outside my LAN connects:

 

The connection is established perfectly. When valid login information is used, it stalls for a minute then fails. I SOMETIMES see that Server Admin sees an authenticated FTP connection during that period of time with the type showing as "LIST". Like it's listing the files? Share points? I see things like the following in the console:

 

11/14/13 6:55:43 PMftpd: 192.168.1.1: connected: IDLE         [4778]DEAD_PROCESS: 4777 ftp4777

 

I've tried an answer I found on the communities elsewhere, replacing the file ftpaccess with ftpaccess.default, with no effect. I've stopped and started the FTP service a bunch of times and have tried different users. Any help would be greately appreciated since my friend needs to be able to connect to a share point I have set up for him, and his computer can't do AFP.

  • Camelot Level 8 Level 8 (46,295 points)

    FTP uses multiple ports, so opening port 21 is not sufficient. That enables the FTP Control channel (for commands), but doesn't allow for DATA connections, hence the stall - your client is able to send a command but the resulting data connection is blocked.

     

    There are several potential fixes, ranking from preferable to least preferable:

     

    1) Don't use FTP. It's not secure (everything is sent in plaintext/unencrypted), it's a PITA to get through firewalls (as demonstrated by your post) and there are better options around

     

    2) Open port 20 as well as port 21. Port 20 is the default data connection port and might resolve the problem.

     

    3) Toggle active/passive FTP on the client. FTP can work in two different modes known as 'active' and 'passive'. The short difference is in the way that data connections are established. You may need to do this in addition to option 2 above.

  • d00dbro Level 1 Level 1 (55 points)

    Thanks! That was the problem. I needed port 20 for it to work.

     

    I ended up mapping 20-21 to my server on the router, but I really wanted to have some other port going to the server FTP port. Forwarding 9064 and 9063 to 21 and 20, respectively, won't work. So I set my firewall to only allow FTP access to those connecting from California, hoping to minimize the break-in attempts. I'll also ask my friend if he can use something other than FTP.

  • MrHoffman Level 6 Level 6 (13,020 points)

    d00dbro wrote:

     

    I'll also ask my friend if he can use something other than FTP.

     

    Introduce your friend to sftp, via the command line with OS X, or via the Cyberduck, Transit, Filezilla or other add-on tools if your friend prefers the GUI.  These connections are encrypted, work via a single port (TCP port 22), and you can also optionally choose to use more advanced user authentication via certificate-based[1] logins.

     


    [1]Certificates are a flexible user authentication scheme, with revokable gonzo-grade passwords.

  • d00dbro Level 1 Level 1 (55 points)

    Yes, that's what he's going to do. Actually, it was the first thing that my mind after SMB, which also won't work for him. SFTP is great.