Clients: curl. FileZilla. gFTP. lftp. NcFTP. wget.
Servers: ProFTPD, Pure-FTPd, vsftpd.
To support active mode transfer, the host machine running the FTP client must open its firewall to the ports the FTP client chooses for data connections. If the firewall forbids packets to that port, the transfer fails. ("GnuTLS error -8: A record packet with illegal version was received.").
To allow an FTP server to read from and write to a user's home directory, instruct SELinux thus:
-> /usr/sbin/setsebool -P ftp_home_dir 1
This takes a minute or so to complete. On the client, this setting resolves error "GnuTLS error -15: An unexpected TLS packet was received." On the server, it resolves the corresponding SELinux alert.
To support standard FTP, the host running an FTP server must open its firewall to FTP packets. To support FTPS in passive mode, the host must additionally open the range of ports specified in the configuration file for vsftpd. See settings for pasv_min_port and pasv_max_port in vsftpd.conf below. (Resolves "GnuTLS error -53: Error in the push function.")
To support FTP over SSH, the host must have an SSH server (sshd) running and it must open its firewall to SSH packets. FTP over SSH does not require the firewall to permit FTP packets or to open extra ports.
To use TLS/SSL under vsftpd, generate a TLS certificate in /etc/vsftpd/cert.pem:
-> cd /etc/vsftp -> openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout cert.pem -out cert.pem \ -subj '/C=US/ST=State/L=City/CN=computer.home/O=Organization' Generating a 1024 bit RSA private key ... writing new private key to 'cert.pem' ----- -> chmod 600 cert.pemls -l cert.pem -rw-------. 1 root root 1844 Aug 23 14:29 cert.pem
See also: OpenSSL Command-Line HOWTO
FTP clients and servers exchange data (files and directory listings) over a data connection. Each data connection has one of two possible modes, called passive and active. Support for these modes affects configurations of the client and server, configurations of firewalls on machines hosting FTP endpoints, and configuration of routers in front of these hosts.
If you're opening an FTP server and wish to make your clients happy, support passive mode in addition to the mandated active mode. Not all supplicants will have the means or willingness to configure active mode for their FTP clients.
Passive mode makes life easy for clients by shifting the burden of extra configuration to the server side of communication. Accordingly, servers with a come-hither attitude will take on that burden and offer passive mode. The FTP protocol allows servers to decline passive mode, however, and a supplicant must then resort to active mode. In this case, the client side needs extra configuration. Here are the details:
In a typical FTP session, the client and server use two types of communication channels. They exchange commands and replies over the control connection, and they transfer files and directory listings over a data connection. The entire session has a single control connection. Each file transfer has its own data connection. All of these connections boil down to TCP ports.
The standard port for control connections is 21. An FTP or FTPS server listens on port 21 for connections from an FTP client. Thus a client's TCP packets know what button to push when they arrive at the server's address. In turn, a server's host machine must open its firewall to TCP connections on port 21. Otherwise, nobody answers when the client comes calling.
The data connections rely on ephemeral ports. Either the client or server picks a random port for a given file transfer. In active mode, the client picks the port and informs the server of this port. In passive mode, the server decides and informs the client. A session's mode has implications for any firewalls protecting the host machines. For active mode, the client's host machine must open its firewall to incoming TCP connections on the range of ports the client uses for data connections. For passive mode, however, it's the server's host machine that must open the firewall to a range of ports for incoming data connections--in addition to standard port 21. In either case, the range of ports depends on the actual client or server implementation running the show. Flexible applications allow the range to be configured.
The terms "active" and "passive" describe which party decides on the port for the data channels. They reflect the client's perspective. In active mode, the client picks a port and listens on that port. It's the server that actually opens the connection to the port selected by the client. That's why the client's host must open its firewall. In passive mode, the server decides and listens. Then the client originates the connection to the port assigned by the server. That's why the server's host must open its firewall. With passive mode, the client initiates both the control and data connections to the server, and only the firewall on the server's host machine worries about extra incoming connections. Passive mode is promoted because it simplifies life for FTP users by eliminating co-requisite configurations of port ranges and firewalls.
The client sets the mode by sending the FTP primitive command PORT to initiate active mode or command PASV to initiate passive mode. An FTP server must support active mode but has no obligation to support passive mode. A server can just say no to passive mode. Whatever the mode, a series of six numbers like "192,168,1,2,7,139" identifies the IP address and port for the data connection. The first four numbers give the IP address in the usual dotted-decimal notation; 192.168.1.2 for this example. The last two numbers specify the 16-bit port also in dotted-decimal notation; e.g. port 1931=7×256+139 here.
The router in front of a machine hosting an FTP client or server may require adjustment as well. For a server to support passive mode over a range of ports, the router in front of the server's host must forward these ports to the host. Otherwise, data connections from the client back to the server would stop abruptly at the router before reaching the server. Similarly, for a client to use active mode, the router in front of the client's host must forward the target ports to the host.
See also: Home. Wiki. Network Configuration.
A user's personal configuration files go under directory ~/.filezilla; e.g. sites, bookmarks, trusted certificates, etc.
For FTPS (FTP over TLS/SSL) connections, FileZilla records trusted certificates in ~/.filezilla/trustedcerts.xml.
For SFTP connections, FileZilla records known hosts in file ~/.putty/sshhostkeys
Under active-mode transfer, FileZilla uses any available local port, by default. If the firewall forbids packets to that port, the transfer fails. FileZilla does allow an explicit range of ports to be specified, however. See the active mode options under the Settings menu. Specify a suitable range and adjust the firewall accordingly.
See also: FileZilla Ticket #3045: Connection wizard's test failed..
See also: Home. FAQ.
gFTP stores user preferences in self-documented ~/.gftp/gftprc and bookmarks in INI-style ~/.gftp/bookmarks. While running, it echos the log to ~/.gftp/gftp.log; it deletes this file when closing.
For active mode, gFTP (ostensibly) does not provide an option to configure the range of ports it will use for data connections. To support active mode in gFTP, then, the host's firewall would need to expose a huge range of ports, presumably all unprivileged or ephemeral ports. This omission essentially nullifies active mode in gFTP.
For FTPS, gFTP supports only the control connection. Thus the user's name and password are encrypted, but all data are transmitted in the clear. Also, gFTP immediately terminates a connection on encountering a self-signed certificate from the server; see the FAQ for a remedy.
In Fedora, gftp-text is disabled ("Sorry, gftp-text has been disabled"). There are comments about this in a thread at linux.derkeiler.com.
See also: Home. Manual. Fryth lftp FAQ.
In addition to ftp and ftps connections, lftp supports http, https, sftp, file, and other protocols.
On connecting to a server, lftp first attempts to use FTPS. If the server does not support TLS/SSL, then lftp resorts to plain-old FTP. Preclude plain-FTP connections altogether by setting boolean ftp:ssl-force to true.
For FTPS, file listings are encrypted, but data are sent in the clear. Use boolean parameters ftp:ssl-protect-list and ftp:ssl-protect-data to adjust these defaults.
In passive mode, if the control connection has an Internet IP address but the server remits a private IP address for the data connection, then lftp replaces the private address with the Internet address. This remedies the pitfalls of a client on the Internet exchanging data with a server located on a private network behind a residential/NAT router. In this case, lftp opens the data connection to the router facing the Internet and expects that router to complete the connection to the correct host on the private network. If you do not want this remedy, you can disable it by setting ftp:fix-pasv-address to off.
In a Fedora distribution, the start-up file is ~/.lftp/rc.
To control attempts to reconnect, for example:
lftp -> net:max-retries 1 lftp -> net:reconnect-interval-base 30s lftp -> net:reconnect-interval-max 30s lftp -> net:reconnect-interval-multiplier 1
In addition to its day job of slinging files, lftp is also a handy tool for troubleshooting connections to a testy FTP server. Here are a few helpful settings.
lftp -> debug
lftp -> debug 3
lftp -> debug 0
lftp -> cache off
lftp -> set ftp:passive-mode off
lftp -> set ftp:port-range 6000-6010
lftp -> set ssl:verify-certificate no
lftp -> set ftp:ssl-allow no
Resources: Home. Manual. Fedora 16 Administrator's guide.
To start the vsftpd service:
-> systemctl start vsftpd.service
To activate changes to vsftpd's configuration file when vsftpd is already running, restart the service:
-> systemctl restart vsftpd.service
My adjustments to the configuration file /etc/vsftpd/vsftpd.conf (no spaces abut equal signs):
List the permitted users in /etc/vsftpd/user_list, one username per line.
See also: Linux Home Server HOWTO. vpslink. Linux Home Networking.