User Tools

Site Tools


software:pure-ftpd:passive-mode

Pure FTP Passive Mode Issue

I ran into this the other day. The problem appears to be only applicable when using Passive mode through a NAT (Network Address Translation). When this happens, the FTP connection can not be made for two reasons:

  • pure-fptd sends the internal IP address to the client, which means the client can not connect.
  • Passive mode appears to use a set of randomly chosen TCP ports for the conversation, and those ports may not have been included in the NAT definition on the router.

Basically NAT says “if something is coming in on these ports, send it to that internal IP address.” This is one way of having multiple servers sharing an IP address.

This can be fixed by using the -P (“passive IP address”) and the -p (“limit port range for passive”) options for pureftpd when you start it up.

Debian has drunk the “autoconfig” cool-aid for pure-ftpd. The configuration files are actually single files in /etc/pure-ftpd/conf/. Unfortunately, all the options are not well documented, so you have to read teh script in /usr/sbin/pure-ftpd-wrapper to figure out what all of the options are.

# Set passive port range. Don't forget to add this to your router's NAT definition
echo "29799 29899" > /etc/pure-ftpd/conf/PassivePortRange
# set the public IP of your ftp server (replace xx.xx.xx.xx with your IP)
echo "xx.xx.xx.xx" > /etc/pure-ftpd/conf/ForcePassiveIP
# restart pure-ftpd
service pure-ftpd-mysql restart

Once this is done, you'll need to go into your router and add the range of ports in PassivePortRange to the forwarder. After that, passive mode will work.

NOTE: it is very normal to see some ftp clients have a problem, and others not. For example, FileZilla will barf if passive mode doesn't work, but other clients will automatically detect that passive is not working and change to Active mode. Also, another way around it is to always use Active mode.

software/pure-ftpd/passive-mode.txt · Last modified: 2018/04/28 00:35 by 127.0.0.1