425 Possible PASV port theft

I am trying to set up an HTTP / FTP server on a spare box in my house.
I am running a bare-bones Debian install (3.0) on an old P133 and doing
all the configuration with Webmin and put it in the DMZ on my LinkSys
router. HTTP is working fine; I have tried THTTPD and aolserver
successfully. But I have a problem with FTP

I have set up VSFTPD and can FTP from within the LAN on my SuSE box and
the wife's XP box, but I can't make connections from 'outside.' FTP to
the WAN IP or to my DynDNS domain get the error

425 Possible PASV port theft, cannot open data connection.

A Google of the problem came up with a solution for WU-FTPD to compile
WITHOUT passive FTP, but wouldn't that cause problems for clients behind
NAT routers?

Any help would be appreciated.

Here are a couple of samples of shell sessions on the SuSE machine.

- - - - FTP TO DynDNS DOMAIN - - - - -
dad@linux:~> ftp tosh.is-a-geek.com
Connected to tosh.is-a-geek.com.
220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
ready.
Name (tosh.is-a-geek.com:dad): dad
331 Password required for dad.
Password:
230 User dad logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 'EPSV': command not understood.
227 Entering Passive Mode (192,168,1,103,61,75)
425 Possible PASV port theft, cannot open data connection.
ftp> quit
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 470 bytes in 0 transfers.
221-Thank you for using the FTP service on debian.
221 Goodbye.


- - - FTP TO WAN IP - - - -
dad@linux:~> ftp 69.158.62.57
Connected to 69.158.62.57.
220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
ready.
Name (69.158.62.57:dad): dad
331 Password required for dad.
Password:
230 User dad logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 'EPSV': command not understood.
227 Entering Passive Mode (192,168,1,103,115,240)
425 Possible PASV port theft, cannot open data connection.
ftp> quit
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 472 bytes in 0 transfers.
221-Thank you for using the FTP service on debian.
221 Goodbye.

- - - FTP TO LAN IP - - - - -
dad@linux:~> ftp 192.168.1.103
Connected to 192.168.1.103.
220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
ready.
Name (192.168.1.103:dad): dad
331 Password required for dad.
Password:
230 User dad logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 'EPSV': command not understood.
227 Entering Passive Mode (192,168,1,103,11,171)
150 Opening ASCII mode data connection for /bin/ls.
total 12
-rw------- 1 dad dad 82 Oct 2 12:52 .bash_history
-rw-r--r-- 1 dad dad 509 Sep 30 19:28 .bash_profile
-rw-r--r-- 1 dad dad 1093 Sep 30 19:28 .bashrc
226 Transfer complete.
ftp> quit
221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 703 bytes in 1 transfers.
221-Thank you for using the FTP service on debian.
221 Goodbye.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Doe <(E-Mail Removed)> writes:

>the wife's XP box, but I can't make connections from 'outside.' FTP to
>the WAN IP or to my DynDNS domain get the error

> 425 Possible PASV port theft, cannot open data connection.

PASV is a problem when the server is behind a NAT box. The server
gives the client the IP address and port to which it should connect.
But if the server is behind a NAT box, that IP address is
inaccessible.

>A Google of the problem came up with a solution for WU-FTPD to compile
>WITHOUT passive FTP, but wouldn't that cause problems for clients behind
>NAT routers?

I have never had problems with active mode FTP from behind a NAT
box. Many NAT boxes monitor PORT commands in the ftp session, and
fix up the PORT command so that it can work.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (SunOS)

iD8DBQFBXvalvmGe70vHPUMRAk76AKDnISXVqz7WOQGicnH1GY TZbbWqsACgpS0w
d0q7X6R8DA5q6X/7MURhFrc=
=k/7U
-----END PGP SIGNATURE-----

Out of curiosity I removed VSFTPD and tried installing WU-FTPD with the
advice I found at

http://www.landfield.com/wu-ftpd/mai.../Apr/0028.html

I used #apt-get source wu-ftpd
#./configure --disable-pasvip

then make and make install but had the same result trying to FTP through
the WAN IP. :-(

John Doe wrote:
> I am trying to set up an HTTP / FTP server on a spare box in my house. I
> am running a bare-bones Debian install (3.0) on an old P133 and doing
> all the configuration with Webmin and put it in the DMZ on my LinkSys
> router. HTTP is working fine; I have tried THTTPD and aolserver
> successfully. But I have a problem with FTP
>
> I have set up VSFTPD and can FTP from within the LAN on my SuSE box and
> the wife's XP box, but I can't make connections from 'outside.' FTP to
> the WAN IP or to my DynDNS domain get the error
>
> 425 Possible PASV port theft, cannot open data connection.
>
> A Google of the problem came up with a solution for WU-FTPD to compile
> WITHOUT passive FTP, but wouldn't that cause problems for clients behind
> NAT routers?
>
> Any help would be appreciated.
>
> Here are a couple of samples of shell sessions on the SuSE machine.
>
> - - - - FTP TO DynDNS DOMAIN - - - - -
> dad@linux:~> ftp tosh.is-a-geek.com
> Connected to tosh.is-a-geek.com.
> 220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
> ready.
> Name (tosh.is-a-geek.com:dad): dad
> 331 Password required for dad.
> Password:
> 230 User dad logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 'EPSV': command not understood.
> 227 Entering Passive Mode (192,168,1,103,61,75)
> 425 Possible PASV port theft, cannot open data connection.
> ftp> quit
> 221-You have transferred 0 bytes in 0 files.
> 221-Total traffic for this session was 470 bytes in 0 transfers.
> 221-Thank you for using the FTP service on debian.
> 221 Goodbye.
>
>
> - - - FTP TO WAN IP - - - -
> dad@linux:~> ftp 69.158.62.57
> Connected to 69.158.62.57.
> 220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
> ready.
> Name (69.158.62.57:dad): dad
> 331 Password required for dad.
> Password:
> 230 User dad logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 'EPSV': command not understood.
> 227 Entering Passive Mode (192,168,1,103,115,240)
> 425 Possible PASV port theft, cannot open data connection.
> ftp> quit
> 221-You have transferred 0 bytes in 0 files.
> 221-Total traffic for this session was 472 bytes in 0 transfers.
> 221-Thank you for using the FTP service on debian.
> 221 Goodbye.
>
> - - - FTP TO LAN IP - - - - -
> dad@linux:~> ftp 192.168.1.103
> Connected to 192.168.1.103.
> 220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
> ready.
> Name (192.168.1.103:dad): dad
> 331 Password required for dad.
> Password:
> 230 User dad logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 'EPSV': command not understood.
> 227 Entering Passive Mode (192,168,1,103,11,171)
> 150 Opening ASCII mode data connection for /bin/ls.
> total 12
> -rw------- 1 dad dad 82 Oct 2 12:52 .bash_history
> -rw-r--r-- 1 dad dad 509 Sep 30 19:28 .bash_profile
> -rw-r--r-- 1 dad dad 1093 Sep 30 19:28 .bashrc
> 226 Transfer complete.
> ftp> quit
> 221-You have transferred 0 bytes in 0 files.
> 221-Total traffic for this session was 703 bytes in 1 transfers.
> 221-Thank you for using the FTP service on debian.
> 221 Goodbye.

John Doe wrote:
> I am trying to set up an HTTP / FTP server on a spare box in my house. I
> am running a bare-bones Debian install (3.0) on an old P133 and doing
> all the configuration with Webmin and put it in the DMZ on my LinkSys
> router. HTTP is working fine; I have tried THTTPD and aolserver
> successfully. But I have a problem with FTP
>
> I have set up VSFTPD and can FTP from within the LAN on my SuSE box and
> the wife's XP box, but I can't make connections from 'outside.' FTP to
> the WAN IP or to my DynDNS domain get the error
>
> 425 Possible PASV port theft, cannot open data connection.
>
> A Google of the problem came up with a solution for WU-FTPD to compile
> WITHOUT passive FTP, but wouldn't that cause problems for clients behind
> NAT routers?
>
> Any help would be appreciated.
>
> Here are a couple of samples of shell sessions on the SuSE machine.
>
> - - - - FTP TO DynDNS DOMAIN - - - - -
> dad@linux:~> ftp tosh.is-a-geek.com
> Connected to tosh.is-a-geek.com.
> 220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
> ready.
> Name (tosh.is-a-geek.com:dad): dad
> 331 Password required for dad.
> Password:
> 230 User dad logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 'EPSV': command not understood.
> 227 Entering Passive Mode (192,168,1,103,61,75)
> 425 Possible PASV port theft, cannot open data connection.
> ftp> quit
> 221-You have transferred 0 bytes in 0 files.
> 221-Total traffic for this session was 470 bytes in 0 transfers.
> 221-Thank you for using the FTP service on debian.
> 221 Goodbye.
>
>
> - - - FTP TO WAN IP - - - -
> dad@linux:~> ftp 69.158.62.57
> Connected to 69.158.62.57.
> 220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
> ready.
> Name (69.158.62.57:dad): dad
> 331 Password required for dad.
> Password:
> 230 User dad logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 'EPSV': command not understood.
> 227 Entering Passive Mode (192,168,1,103,115,240)
> 425 Possible PASV port theft, cannot open data connection.
> ftp> quit
> 221-You have transferred 0 bytes in 0 files.
> 221-Total traffic for this session was 472 bytes in 0 transfers.
> 221-Thank you for using the FTP service on debian.
> 221 Goodbye.
>
> - - - FTP TO LAN IP - - - - -
> dad@linux:~> ftp 192.168.1.103
> Connected to 192.168.1.103.
> 220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
> ready.
> Name (192.168.1.103:dad): dad
> 331 Password required for dad.
> Password:
> 230 User dad logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 'EPSV': command not understood.
> 227 Entering Passive Mode (192,168,1,103,11,171)
> 150 Opening ASCII mode data connection for /bin/ls.
> total 12
> -rw------- 1 dad dad 82 Oct 2 12:52 .bash_history
> -rw-r--r-- 1 dad dad 509 Sep 30 19:28 .bash_profile
> -rw-r--r-- 1 dad dad 1093 Sep 30 19:28 .bashrc
> 226 Transfer complete.
> ftp> quit
> 221-You have transferred 0 bytes in 0 files.
> 221-Total traffic for this session was 703 bytes in 1 transfers.
> 221-Thank you for using the FTP service on debian.
> 221 Goodbye.

This may be a router problem. In passive mode, the client
opens both the command (port 21) and data (port 20) connections.
Check that your router forwards both ports to the DMZ server.

To trace the problem further, a packet trace at the DMZ
server is necessary. My favourite for the job is Ethereal.
If there is no X-Window system in the box, the text version
can be used instead, or the packet trace can be made with
tcpdump (writing on disk with -w option) and analyze the
trace on a computer with a windowing system and Ethereal.

HTH

Tauno Voipio
tauno voipio (at) iki fi

On Sat, 02 Oct 2004 14:08:41 -0400, John Doe wrote:

> I am trying to set up an HTTP / FTP server on a spare box in my house.
> I am running a bare-bones Debian install (3.0) on an old P133 and doing
> all the configuration with Webmin and put it in the DMZ on my LinkSys
> router. HTTP is working fine; I have tried THTTPD and aolserver
> successfully. But I have a problem with FTP
>
> I have set up VSFTPD and can FTP from within the LAN on my SuSE box and
> the wife's XP box, but I can't make connections from 'outside.' FTP to
> the WAN IP or to my DynDNS domain get the error
>
> 425 Possible PASV port theft, cannot open data connection.
>
> A Google of the problem came up with a solution for WU-FTPD to compile
> WITHOUT passive FTP, but wouldn't that cause problems for clients behind
> NAT routers?
>
> Any help would be appreciated.
>
> Here are a couple of samples of shell sessions on the SuSE machine.
>
> - - - - FTP TO DynDNS DOMAIN - - - - -
> dad@linux:~> ftp tosh.is-a-geek.com
> Connected to tosh.is-a-geek.com.
> 220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
> ready.
> Name (tosh.is-a-geek.com:dad): dad
> 331 Password required for dad.
> Password:
> 230 User dad logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 'EPSV': command not understood.
> 227 Entering Passive Mode (192,168,1,103,61,75)
> 425 Possible PASV port theft, cannot open data connection.
> ftp> quit
> 221-You have transferred 0 bytes in 0 files.
> 221-Total traffic for this session was 470 bytes in 0 transfers.
> 221-Thank you for using the FTP service on debian.
> 221 Goodbye.
>
>
> - - - FTP TO WAN IP - - - -
> dad@linux:~> ftp 69.158.62.57
> Connected to 69.158.62.57.
> 220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
> ready.
> Name (69.158.62.57:dad): dad
> 331 Password required for dad.
> Password:
> 230 User dad logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 'EPSV': command not understood.
> 227 Entering Passive Mode (192,168,1,103,115,240)
> 425 Possible PASV port theft, cannot open data connection.
> ftp> quit
> 221-You have transferred 0 bytes in 0 files.
> 221-Total traffic for this session was 472 bytes in 0 transfers.
> 221-Thank you for using the FTP service on debian.
> 221 Goodbye.
>
> - - - FTP TO LAN IP - - - - -
> dad@linux:~> ftp 192.168.1.103
> Connected to 192.168.1.103.
> 220 debian FTP server (Version wu-2.6.2(1) Thu Sep 4 13:31:49 UTC 2003)
> ready.
> Name (192.168.1.103:dad): dad
> 331 Password required for dad.
> Password:
> 230 User dad logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 500 'EPSV': command not understood.
> 227 Entering Passive Mode (192,168,1,103,11,171)
> 150 Opening ASCII mode data connection for /bin/ls.
> total 12
> -rw------- 1 dad dad 82 Oct 2 12:52 .bash_history
> -rw-r--r-- 1 dad dad 509 Sep 30 19:28 .bash_profile
> -rw-r--r-- 1 dad dad 1093 Sep 30 19:28 .bashrc
> 226 Transfer complete.
> ftp> quit
> 221-You have transferred 0 bytes in 0 files.
> 221-Total traffic for this session was 703 bytes in 1 transfers.
> 221-Thank you for using the FTP service on debian.
> 221 Goodbye.

I have had great success connecting to ProFTPD in PASV behind a Linksys
router. ProFTPD lets you specify which ports to use for the PASV ports
and the LinkSys I was able to set that range to go to the server's
internal IP. I think ( I haven't worked with VSFTP in a few weeks) that
VSFTPD will let you set a port range as well.

Bill