I have a problem, the firewall for the ftp is stopping passive ftp from working

Looking up lyndsayb.co.uk
Trying lyndsayb.co.uk:21
Connected to lyndsayb.co.uk:21
220 FTP Server ready.
USER z
331 Password required for z.
PASS xxxx
230 User z logged in.
SYST
215 UNIX Type: L8
TYPE I
200 Type set to I
PWD
257 "/" is current directory.
Loading directory listing / from server (LC_TIME=en_GB.UTF-8)
PASV
227 Entering Passive Mode (78,110,167,28,198,65). <----- ** Connection hangs here **

Ive done alot of research and ive found out that you need to load some modules into iptables, ip_conntrack_ftp / ip_nat_ftp. I have tried modprobe <module> and nothing happens, the depmod file is empty so there are no modules on the server atall.

The kernal is a custom ubuntu one, i installed iptables using apt-get, ive contacted my vps host who say that they have enabled the modules for me but still passive ftp still doesnt work.

Is there any way i can diagnose this further? I dont know a way to check what modules are loaded, or how to check the logs to see what is going on.

Thanks
Ryan

ryanmt@vps:/etc/sysconfig$ uname -r
2.6.18-531.6.el5.028stab053.6

ryanmt@vps:/etc/sysconfig$ sudo modprobe ip_conntrack
FATAL: Module ip_conntrack not found.
ryanmt@vps:/etc/sysconfig$ sudo cat /lib/modules/2.6.18-53.1.6.el5.028stab053.6/modules.dep
ryanmt@vps:/etc/sysconfig$


ryanmt@vps:/etc/init.d$ sudo iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
DROP tcp -- anywhere 127.0.0.0/8
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT 0 -- anywhere anywhere
DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere
PUB_IN 0 -- anywhere anywhere
PUB_IN 0 -- anywhere anywhere
PUB_IN 0 -- anywhere anywhere
PUB_IN 0 -- anywhere anywhere
DROP 0 -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
DROP 0 -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
PUB_OUT 0 -- anywhere anywhere
PUB_OUT 0 -- anywhere anywhere
PUB_OUT 0 -- anywhere anywhere
PUB_OUT 0 -- anywhere anywhere

Chain INT_IN (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
DROP 0 -- anywhere anywhere

Chain INT_OUT (0 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT 0 -- anywhere anywhere

Chain PAROLE (11 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere

Chain PUB_IN (4 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp echo-request
PAROLE tcp -- anywhere anywhere tcp dpt:ftp
PAROLE tcp -- anywhere anywhere tcp dpt:ssh
PAROLE tcp -- anywhere anywhere tcp dpt:smtp
PAROLE tcp -- anywhere anywhere tcp dpt:domain
PAROLE tcp -- anywhere anywhere tcp dpt:www
PAROLE tcp -- anywhere anywhere tcp dpt:81
PAROLE tcp -- anywhere anywhere tcp dpt:pop3
PAROLE tcp -- anywhere anywhere tcp dpt:imap2
PAROLE tcp -- anywhere anywhere tcp dpt:https
PAROLE tcp -- anywhere anywhere tcp dpt:webmin
PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
ACCEPT udp -- anywhere anywhere udp dpt:domain
DROP icmp -- anywhere anywhere
DROP 0 -- anywhere anywhere

Chain PUB_OUT (4 references)
target prot opt source destination
ACCEPT 0 -- anywhere anywhere


if thats any use

Ive been messing with this further, pretty much gave up on the ip_conntrack modules and decided to open some ports up... i didnt want to open a wide range so picked a range and enabled it in the /etc/proftpd.conf file

PassivePorts 48152 49192


then added the rule in the firewall setup on ispconfig

FTP Passive 48152:49192 tcp yes

I restarted both proftpd and the firewall

still no joy and i dont understand why, should be simple port forwarding to do it this way.

I also experimented with the MasqueradeAddress option in the conf file and it made no difference.

When connecting via gFTP with passive enabled it stalls on the following

PASV

227 Entering Passive Mode (78,110,167,28,237,66).

The first 4 numbers are the IP, the last to are the port. 237x256+66 means its trying to use 59970, why isnt it using the ports i specified!

What's in /etc/proftpd.conf?
Are there any errors in the logs in /var/log?

no errors in /var/log/proftpd/proftpd.log


ryanmt@vps:/var/log$ cat /etc/proftpd.conf
#
# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
# To really apply changes reload proftpd after modifications.
#

# Includes DSO modules
Include /etc/proftpd/modules.conf

# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
UseIPv6 off

ServerName "Citroenbob"
ServerType standalone
DeferWelcome off

MultilineRFC2228 on
DefaultServer on
ShowSymlinks on

TimeoutNoTransfer 600
TimeoutStalled 600
TimeoutIdle 1200

DisplayLogin welcome.msg
DisplayFirstChdir .message
ListOptions "-l"

DenyFilter \*.*/
UseReverseDNS off
# Use this to jail all users in their homes
# DefaultRoot ~
<Global>
DefaultRoot ~

IdentLookups off
ServerIdent on "FTP Server ready."
</Global>
# Users require a valid shell listed in /etc/shells to login.
# Use this directive to release that constrain.
# RequireValidShell off

# Port 21 is the standard FTP port.
Port 21

# In some cases you have to specify passive ports range to by-pass
# firewall limitations. Ephemeral ports can be used for that, but
# feel free to use a more narrow range.
PassivePorts 48152 49192

# If your host was NATted, this option is useful in order to
# allow passive tranfers to work. You have to use your public
# address and opening the passive ports used on your firewall as well.
# MasqueradeAddress 78.110.167.28

# To prevent DoS attacks, set the maximum number of child processes
# to 30. If you need to allow more than 30 concurrent connections
# at once, simply increase this value. Note that this ONLY works
# in standalone mode, in inetd mode you should use an inetd server
# that allows you to limit maximum number of processes per service
# (such as xinetd)
MaxInstances 30

# Set the user and group that the server normally runs at.
User proftpd
Group nogroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask 022 022
# Normally, we want files to be overwriteable.
AllowOverwrite on

# Uncomment this if you are using NIS or LDAP to retrieve passwords:
# PersistentPasswd off

# Be warned: use of this directive impacts CPU average load!
# Uncomment this if you like to see progress and transfer rate with ftpwho
# in downloads. That is not needed for uploads rates.
#
# UseSendFile off

# Choose a SQL backend among MySQL or PostgreSQL.
# Both modules are loaded in default configuration, so you have to specify the backend
# or comment out the unused module in /etc/proftpd/modules.conf.
# Use 'mysql' or 'postgres' as possible values.
#
#<IfModule mod_sql.c>
# SQLBackend mysql
#</IfModule>

TransferLog /var/log/proftpd/xferlog
SystemLog /var/log/proftpd/proftpd.log
DebugLevel 5
<IfModule mod_tls.c>
TLSEngine off
</IfModule>

<IfModule mod_quota.c>
QuotaEngine on
</IfModule>

<IfModule mod_ratio.c>
Ratios on
</IfModule>


# Delay engine reduces impact of the so-called Timing Attack described in
# http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02
# It is on by default.
<IfModule mod_delay.c>
DelayEngine on
</IfModule>

<IfModule mod_ctrls.c>
ControlsEngine on
ControlsMaxClients 2
ControlsLog /var/log/proftpd/controls.log
ControlsInterval 5
ControlsSocket /var/run/proftpd/proftpd.sock
</IfModule>

<IfModule mod_ctrls_admin.c>
AdminControlsEngine on
</IfModule>

# A basic anonymous configuration, no upload directories.

# <Anonymous ~ftp>
# User ftp
# Group nogroup
# # We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# # Cosmetic changes, all files belongs to ftp user
# DirFakeUser on ftp
# DirFakeGroup on ftp
#
# RequireValidShell off
#
# # Limit the maximum number of anonymous logins
# MaxClients 10
#
# # We want 'welcome.msg' displayed at login, and '.message' displayed
# # in each newly chdired directory.
# DisplayLogin welcome.msg
# DisplayFirstChdir .message
#
# # Limit WRITE everywhere in the anonymous chroot
# <Directory *>
# <Limit WRITE>
# DenyAll
# </Limit>
# </Directory>
#
# # Uncomment this if you're brave.
# # <Directory incoming>
# # # Umask 022 is a good standard umask to prevent new files and dirs
# # # (second parm) from being group and world writable.
# # Umask 022 022
# # <Limit READ WRITE>
# # DenyAll
# # </Limit>
# # <Limit STOR>
# # AllowAll
# # </Limit>
# # </Directory>
#
# </Anonymous>


Include /etc/proftpd_ispconfig.conf

I had to also add PassivePorts 48152 49192 to the /etc/proftpd_ispconfig.conf

makes no difference, the file is overwrote when restarting the server anyway i think :(

Does it work when you switch off the firewall?

yep, works fine

I don't know the exact setup you have but usually this is caused by no proper permissions either at folder level in the server or more likely in the ftp server settings at user assignment level. Are there files in the directory? If you put one in can you read it at all or are you being denied from an empty directory? Some ftp connections will find a random port when connecting Can you try to ressign the FTP port? Change it to 27 and see what happens.
Have you tried an Active connection as well as a passive connection?

Thanks for the reply, Active works fine.. the ftp server is functioning as it should and i can use it provided i set my client to use active transfers. If i disable the firewall in ISPConfig then passive works fine also

This is only a passive transfer/iptables issue.

Can you post your /etc/Bastille/bastille-firewall.cfg?

ryanmt@vps:~$ cat /etc/Bastille/bastille-firewall.cfg
#
# /etc/bastille-firewall.cfg
#
# Configuration file for both 2.2/ipchains and 2.4/netfilter scripts
#
# $Source: /cvsroot/bastille-linux/dev/working_tree/Bastille/bastille-firewall.cfg,v $
# Modified by: $Author: peterw $
# $Date: 2002/01/04 13:34:18 $
# $Revision: 1.7 $
#
# Copyright (C) 1999-2001 Peter Watkins
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
# Thanks to David Ranch, Brad A, Don G, and others for their suggestions

# the configuration values should be whitespace-delimited lists of
# appropriate values, e.g.
# TCP_PUBLIC_SERVICES="80 smtp ssh"
# lists Web (port 80), SMTP mail, and Secure Shell ports
#
# This script is suitable for workstations or simple NAT firewalls;
# you may want to add more "output" restrictions for serious servers

# 0) DNS servers (Linux 2.2/ipchains only)
# You must list your DNS servers here so that
# the firewall will allow them to service your lookup requests
#
# List of DNS servers/networks to allow "domain" responses from
# This _could_ be nameservers as a list of <ip-address>/32 entries
#DNS_SERVERS="a.b.c.d/32 e.f.g.h/32"
# If you are running a caching nameserver, you'll need to allow from
# "0.0.0.0/0" so named can query any arbitrary nameserver
# (To enable a caching nameserver, you will also probably need to
# add "domain" to the TCP and UDP public service lists.)
#DNS_SERVERS="0.0.0.0/0"
#
# To have the DNS servers parsed from /etc/resolv.conf at runtime,
# as normal workstations will want, make this variable empty
#DNS_SERVERS=""
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
DNS_SERVERS=""


# 1) define your interfaces (all systems)
# Note a "+" acts as a wildcard, e.g. ppp+ would match any PPP
# interface
#
# list internal/trusted interfaces
# traffic from these interfaces will be allowed
# through the firewall, no restrictions
#TRUSTED_IFACES="lo" # MINIMAL/SAFEST
#
# list external/untrusted interfaces
#PUBLIC_IFACES="eth+ ppp+ slip+" # SAFEST
#
# list internal/partially-trusted interfaces
# e.g. if this acts as a NAT/IP Masq server and you
# don't want clients on those interfaces having
# full network access to services running on this
# server (as the TRUSTED_IFACES allows)
#INTERNAL_IFACES="" # SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TRUSTED_IFACES="lo" # MINIMAL/SAFEST
PUBLIC_IFACES="eth+ ppp+ slip+ venet+" # SAFEST
INTERNAL_IFACES="" # SAFEST


# 2) services for which we want to log access attempts to syslog (all systems)
# Note this only audits connection attempts from public interfaces
#
# Also see item 12, LOG_FAILURES
#
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
# anyone probing for BackOrifice?
#UDP_AUDIT_SERVICES="31337"
# how about ICMP?
#ICMP_AUDIT_TYPES=""
#ICMP_AUDIT_TYPES="echo-request" # ping/MS tracert
#
# To enable auditing, you must have syslog configured to log "kern"
# messages of "info" level; typically you'd do this with a line in
# syslog.conf like
# kern.info /var/log/messages
# though the Bastille port monitor will normally want these messages
# logged to a named pipe instead, and the Bastille script normally
# configures syslog for "kern.*" which catches these messages
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
#TCP_AUDIT_SERVICES="telnet ftp imap pop3 finger sunrpc exec login linuxconf ssh"
#UDP_AUDIT_SERVICES="31337"
#ICMP_AUDIT_TYPES=""


# 3) services we allow connections to (all systems)
#
# FTP note:
# To allow your machine to service "passive" FTP clients,
# you will need to make allowances for the passive data
# ports; Bastille users should read README.FTP for more
# information
#
# "public" interfaces:
# TCP services that "public" hosts should be allowed to connect to
#TCP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
#
# UDP services that "public" hosts should be allowed to connect to
#UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
#
# "internal" interfaces:
# (NB: you will need to repeat the "public" services if you want
# to allow "internal" hosts to reach those services, too.)
# TCP services that internal clients can connect to
#TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
#
# UDP services that internal clients can connect to
#UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_PUBLIC_SERVICES="21 22 25 53 80 81 110 143 443 10000 20 58878:59999" # MINIMAL/SAFEST
UDP_PUBLIC_SERVICES="53" # MINIMAL/SAFEST
TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
UDP_INTERNAL_SERVICES="" # MINIMAL/SAFEST

# 4) passive/active FTP (Linux 2.2/ipchains only)
# FTP is a firewall nightmare; if you allow "normal" FTP connections,
# you must be careful to block any TCP services that are listening
# on high ports; it's safer to require your FTP clients to use
# "passive" mode.
#
# Note this will also force clients on machines
# that use this one for NAT/IP Masquerading to use passive mode
# for connections that go through this server (e.g. from the
# internal network to public Internet machines
#
# For more information about FTP, see the Bastille README.FTP doc
#
#FORCE_PASV_FTP="N"
#FORCE_PASV_FTP="Y" # SAFEST
#
FORCE_PASV_FTP="Y" # SAFEST


# 5) Services to explicitly block. (Linux 2.2/ipchains only)
# See FTP note above
# Note that ranges of ports are specified with colons, and you
# can specify an open range by using only one number, e.g.
# 1024: means ports >= 1024 and :6000 means ports <= 6000
#
# TCP services on high ports that should be blocked if not forcing passive FTP
# This should include X (6000:6010) and anything else revealed by 'netstat -an'
# (this does not matter unless you're not forcing "passive" FTP)
#TCP_BLOCKED_SERVICES="6000:6020"
#
# UDP services to block: this should be UDP services on high ports.
# Your only vulnerability from public interfaces are the DNS and
# NTP servers/networks (those with 0.0.0.0 for DNS servers should
# obviously be very careful here!)
#UDP_BLOCKED_SERVICES="2049"
#
# types of ICMP packets to allow
#ICMP_ALLOWED_TYPES="destination-unreachable" # MINIMAL/SAFEST
# the following allows you to ping/traceroute outbound
#ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
TCP_BLOCKED_SERVICES="6000:6020"
UDP_BLOCKED_SERVICES="2049"
ICMP_ALLOWED_TYPES="destination-unreachable echo-reply time-exceeded echo-request"


# 6) Source Address Verification (all Linux systems)
# This helps prevent "IP Spoofing" attacks
#
ENABLE_SRC_ADDR_VERIFY="Y" # SAFEST


# 7) IP Masquerading / NAT. (all systems)
# List your internal/masq'ed networks here
#
# Also see item 4, FORCE_PASV_FTP, as that setting affects
# clients using IP Masquerading through this machine
#
# Set this variable if you're using IP Masq / NAT for a local network
#IP_MASQ_NETWORK="" # DISABLE/SAFEST
#IP_MASQ_NETWORK="10.0.0.0/8" # example
#IP_MASQ_NETWORK="192.168.0.0/16" # example
#
# Have lots of masq hosts? uncomment the following six lines
# and list the hosts/networks in /etc/firewall-masqhosts
# the script assumes any address without a "/" netmask afterwards
# is an individual address (netmask /255.255.255.255):
#if [ -f /etc/firewall-masqhosts ]; then
# echo "Reading list of masq hosts from /etc/firewall-masqhosts"
# # Read the file, but use 'awk' to strip comments
# # Note the sed bracket phrase includes a space and tab char
# IP_MASQ_NETWORK=`cat /etc/firewall-masqhosts | awk -F\# '/\// {print $1; next} /[0-9]/ {print $1"/32"}' |sed 's:[ ]*::g'`
#fi
#
# Masq modules
# NB: The script will prepend "ip_masq_" to each module name
#IP_MASQ_MODULES="cuseeme ftp irc quake raudio vdolive" # ALL (?)
#IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
IP_MASQ_NETWORK="" # DISABLE/SAFEST
IP_MASQ_MODULES="ftp raudio vdolive" # RECOMMENDED


# 8) How to react to disallowed packets (all systems)
# whether to "REJECT" or "DROP" disallowed packets; if you're running any
# public services, you probably ought to use "REJECT"; if in serious stealth
# mode, choose "DROP" so simple probes don't know if there's anything out there
# NOTE: disallowed ICMP packets are discarded with "DROP", as
# it would not make sense to "reject" the packet if you're
# trying to disallow ping/traceroute
# NOTE: the scripts that set up the filter rules will interpret these
# keywords as needed, e.g. "DROP" becomes "DENY" for Linux 2.2/ipchains
#
REJECT_METHOD="DROP"


# 9) DHCP (Linux 2.2/ipchains only)
# In case your server needs to get a DHCP address from some other
# machine (e.g. cable modem)
#DHCP_IFACES="eth0" # example, to allow you to query on eth0
#DHCP_IFACES="" # DISABLED
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
DHCP_IFACES="" # DISABLED


# 10) NTP servers (Linux 2.2/ipchains only)
# more UDP fun. List IP addresses or network space of NTP servers
#
#NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST
#NTP_SERVERS="a.b.c.d/32 e.f.g.h/32" # example, to allow querying 2 servers
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
NTP_SERVERS="" # DISABLE NTP QUERIES / SAFEST


# 11) more ICMP. (Linux 2.2/ipchains only)
# Control the outbound ICMP to make yourself invisible to
# traceroute probes
#
#ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"
#
# Please make sure variable assignments are on single lines; do NOT
# use the "\" continuation character (so Bastille can change the
# values if it is run more than once)
ICMP_OUTBOUND_DISABLED_TYPES="destination-unreachable time-exceeded"


# 12) Logging (all systems)
# With this enabled, ipchains will log all blocked packets.
# ** this could generate huge logs **
# This is primarily intended for the port mointoring system;
# also note that you probably do not want to "AUDIT" any services
# that you are not allowing, as doing so would mean duplicate
# logging
LOG_FAILURES="N" # do not log blocked packets

# 13) Block fragmented packets (all systems)
# There's no good reason to allow these
#ALLOW_FRAGMENTS="N" # safest
ALLOW_FRAGMENTS="Y" # old behavior

# 14) Prevent SMB broadcasts from leaking out NAT setup (all systems)
# Windows machines will poll teh net with SMB broadcasts,
# basically advertising their existence. Most folks agree
# that this traffic should be dropped
#DROP_SMB_NAT_BCAST="N" # allow them (are you sure?)
DROP_SMB_NAT_BCAST="Y" # drop those packets

# 15) Log level (iptables/netfilter/Linux 2.4 only)
# Control what level of logging is used when the firewall logs
# information. Default is warning (4). Lowest priority is
# debug (7); highest is emergency (0). To prevent syslog
# from copying iptables error messages to the console, set
# this to 6 (7 would also work, but 6 is recommended)
# You can also stop syslogd/klogd from printing kernel
# messages to the console by issuing the command
# setterm -msg off
#IP_LOG_LEVEL=6 # level used in 2.2/ipchains
IP_LOG_LEVEL=4 # iptables/netfilter default

# 16) Always attempt to use stateful features for inbound connections
# Always using state will allow the firewall to reject invalid
# packets sent to otherwise open TCP services, e.g. XMAS, NULL
# and SIN/FYN scans. The downside to choosing this behavior is that
# services may become unreachable if the packet filter's state
# table becomes full.
IP_ALWAYS_USE_STATE="N" # default, ensures services remain available
ryanmt@vps:~$


Thanks

In your proftpd.conf, you're using the ports 48152 - 49192, but in your firewall configuration you have the ports 58878 - 59999.

Hi, sorry should have said. I was experimenting in changing hte port numbers.. i have updated proftpd.conf to match

What happens if you set FORCE_PASV_FTP to N?

done that, restarted the firewall via the ispconfig interface.. no change when trying to use passive

Response: 200 Type set to I
Command: PASV
Response: 227 Entering Passive Mode (78,110,167,28,237,153).
Command: LIST
Error: Connection timed out
Error: Failed to retrieve directory listing

im sure proftpd is just ignoring the passive ports ive set in the config file, i just dont know why! grr!

What happens when you comment out the line
Include /etc/proftpd_ispconfig.conf
at the end of your proftpd.conf?

that worked!!!!!!!

can i leave it like that? whats this file for.. and why does it break things!

###################################
#
# ISPConfig proftpd Configuration File
# Version 1.0
#
###################################
DefaultAddress 127.0.0.1
<VirtualHost 78.110.167.28>
DefaultRoot ~
AllowOverwrite on
Umask 002
</VirtualHost>
<VirtualHost 78.110.167.28>
DefaultRoot ~
AllowOverwrite on
Umask 002
</VirtualHost>
<VirtualHost 78.110.167.33>
DefaultRoot ~
AllowOverwrite on
Umask 002
</VirtualHost>

You need that file only if you need anonymous FTP. Otherwise you can leave it out.

ahh thats fine then.. i didnt think anybody used anon ftp these days unless they wanted a server full of warez!

Thanks for the help, thats my last niggle sorted out now. Very happy :)

i hv the similar problem with proftp in opensuse 10.3. Everytime turn SuSE firewall on, proftp would stuck with 229 Entering Extended Passive Mode (|||54790|)... i hate it!

so i just follow the solution in this thread:
1. edit /etc/bastille-firewall.cfg, add the port 50000:60000
2. edit /etc/proftpd.conf: comment out "Include /etc/proftpd_ispconfig.conf" and added "PassivePorts 50000 60000"

Restart proftpd and suse firewall...
But still won't work!

Any other idea what i can do to solve this thing out? thx for any help.

What happens when you comment out the line
Include /etc/proftpd_ispconfig.conf
at the end of your proftpd.conf?

Thats what fixed it for me. Thats a massive port range to have open btw. I prefer them to be alot smaller.

If you can, use ip_conntrack_ftp which is intended for this purpose.

i went down that road and just couldnt get it working.

That's the problem of VPS, it's one of the reasons that made me change to a real physical server.