Just recently I was playing around with setting up an anonymous FTP server using the excellent vsftpd software. (The ‘vs’ is for ‘very secure’.) To test this out, I decided to connect from Nautilus, on my Ubuntu laptop. Unfortunately, I got an error like this:
Sorry, could not display all the contents of "/ on ftp.whatsmykarma.com"
So, I gave this a try instead with the commandline ftp client on this machine, and it worked fine. This had me scratching my head, but I figured it out eventually. Basically, the problem is one of passive vs active FTP – look a the Wikipedia page for more information. As it turned out, the commandline FTP client was defaulting to active mode, which basically means that the server listens on one port, and connects to a port on the client (that is, the client has to have one open and listening) to make the transfer. This is fine if you’re on a local network, or have a loose environment firewall-wise where the server can talk to the client this way. However, because this setup is a bit more difficult, passive FTP was introduced – the server listens on one port and then some other random ports. The client doesn’t have to listen, just connect to the server on port 21, and then get which other port it has to connect to on the server to actually do the transfer. This is basically an improvement, but it still means we want to listen on more ports than just 21. For whatever reason Nautilus only seems like passive FTP (which is probably a good thing), and was giving that error because I’d only forwarded port 21 on the server.
Now, the fix for this is simple, but before I give much of my vsftpd.conf file I would like to address a concern that will no doubt be brought up: FTP isn’t that great. Well, not from a security standpoint, at least. Normal FTP just sends everything in clear text, and with minimal effort someone who has access to the datastream (eg, the guy in charge of your company’s firewall, or someone on your wireless network) can easily get this information. Perhaps your FTP login details are used elsewhere, like for logging into to a system account. (Like, you sit at your workstation and login with those credentials, and someone else getting them means they can read your Email and delete your crap.) These days there are better options, such as SFTP (basically an FTP-like protocol that tunnels over SSH, and only really needs OpenSSH) that are better for a lot of things. However, FTP is nice for certain things, like if you have a server that hosts a bunch of big files you want to put up for download. You can do this with anonymous FTP, with no need for sensitive usernames and passwords. I’m going to assume that this is kind of why you’re looking into FTP, and that roughly you know what you’re doing. (Note that it’s also possible to use FTP with SSL, which could be handy in some cases when you really want to use FTP with login info.)
Anyway, here’s what we have to do. We want to use passive FTP, and configure vsftpd thusly. To do this we need to forward port 21 to it (of course), but we also need to have it listen on another port to do the transfers. Traditionally the FTP server would randomly pick a port from a range, but you really only need one. I chose 2020. It can be anything, so long as it’s above 1024. This is because the server will try to bind it as a non-root user.
Now, the other thing the server will do when we tell it we want to go into passive mode is send an address for the client to connect to (with the given port). In my case, I’m on a dynamic IP, so we would like to give it a hostname to use. Luckily, vsftpd will allow us to do all this. So, for a simple, anon-only FTP server that works in passive mode, here is my config:
# Optional directives
Change the details or add stuff to suit your setup. Note that we have a pasv_min and pasv_max port, these can just be the same thing. pasv_addr_resolv=YES just lets us specify a hostname. And that’s that, restart vsftpd and enjoy FTP.