500 Illegal Port Command

Posted on
I can't figure this out.

Active FTP is not supported in Azure environment, also the default Windows command line. Join weebly on the road with 'like a boss' bus tour!. Ftp.exe, doesn’t work in Azure. The command tends to initiate an Active connection and refers to the private IP of the client VM (VM Name LXX-XXX-C02, DIPs 10.XXX.XXX.11), whereas trying to initiate a connection to a public IP and thus fails. But with this new policy, I had to change the port. So I changed the services file in /etc/ and changed ftp port 21 to 40740. Ok it receives connections normally. It authenticates users nicelly but keeps giving me this message when I type dir, for example. 500 Illegal Port Command. 425 Use PORT or PASV first. It works neat from my Lan anyway. 500 Illegal PORT command. 425 Use PORT or PASV first. 500 Illegal PORT command. 2011-01-28 04:13:37.692 Could not retrieve directory listing. 2011-01-28 04:13:37.692 Retrieving directory.


I have PASV working like a champ. This is on Cent5.6 with vsftpd 2.0.5 installed via yum.
I'm configured for FTPS using only virtual accounts. The issue I'm trying to solve is a user is in a strict environment where he can't connect using PASV mode. We've seen in the past at least for plain FTP that active sometimes works so I'm trying to get active working.Port
Using Filezilla, it looks like as soon as it connects it switches to PASV mode to get the directory, even though I have the connection set to active. When I turn off PASV at the server, Filezilla can't get a directory. Looking at the VSFTPD log I see:
[code]FTP response: Client 'x.x.x.x', '200 Switching to Binary mode.'
'PORT x,x,x,x,18,41'
'500 Illegal PORT command.'
'PASV'
'550 Permission denied.'[/code]
I know the permission denied is due to me turning off PASV mode. When it's on I see the same thing except instead of the 550, you see Filezilla switch to PASV to get the directory. Here's the .conf (redacted xxxxs are for IPs/directories/accounts/etc..)
[code]background=YES
anonymous_enable=NO
local_enable=YES
guest_enable=YES
guest_username=xxxx
virtual_use_local_privs=YES
write_enable=YES
pam_service_name=xxx
user_sub_token=$USER
local_root=xxx
anon_root=xxx
chroot_local_user=YES
hide_ids=YES
listen=YES
listen_port=21
pasv_min_port=xxx
pasv_max_port=xxx
connect_from_port_20=YES
tcp_wrappers=NO
port_enable=YES
local_umask=000
max_clients=5
max_per_ip=2
secure_chroot_dir=xxx
nopriv_user=xxx
dirlist_enable=YES
download_enable=YES
log_ftp_protocol=YES500 illegal port command proftpd
xferlog_std_format=NO
vsftpd_log_file=xxx

500 Illegal Port Command Proftpd


xferlog_enable=YES
pasv_enable=YES
pasv_address=x.x.x.x

Illegal Port Command Ftp

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=YES
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=xxx
rsa_private_key_file=xxx
ssl_ciphers=AES256-SHA
file_open_mode=0600
banner_file=/etc/vsftpd/banner.txt
idle_session_timeout=150
[/code]
Am I missing something? I see no attempts to connect via 20 on my DMZ firewall. I've tried it with iptables and selinux off just to see if it was something like that..no joy. I've got the iptables entries anyway:
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
Any ideas? Thanks.