vsftpd behind router/firewall

Jan 28, 2012
Tested on: Ubuntu 11.04 (natty)

This is how I got vsftpd server work behind a router. If you are getting errors like "Server sent passive reply with unroutable address. Using server address instead." or "500 illegal port command" on list (ls) command, this post might help. Setting passive mode configuration correctly is the trick.

Please note that this may not be the perfect solution or even worse - not very secure. Read vsftpd.conf manual before applying any changes.

Make sure port 20, 21 and few more ports, for example 4242-4252, are being forwarded to the server. We will need these extra ports for passive mode - set pasv_min_port and pasv_max_port accordingly in the configuration file. Add following to /etc/vsftpd.conf . connect_from_port_20=YES pasv_enable=YES pasv_addr_resolve=YES pasv_address=myaddress.dyndns.com pasv_min_port=4242 pasv_max_port=4252 Set pasv_address to your domain name. You can use dyndns for dynamic ip-address. vsftpd will convert your domain name to ip address when vsftpd server starts. Note that if your ip address changes after vsftpd has started it will not update the ip-address. There has been some attempt to the solve it.
Here are some more configurations with comments: # Only allow FTP access to users listed in file /etc/vsftpd.userlist # Other users will not have ftp access userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd.userlist # Disable delete commands cmds_denied=DELE,RMD # Verbose logging log_ftp_protocol=YES # You may restrict local users to their home directories. See FAQ for # the possible risks in this before using chroot_local_user chroot_local_user=YES
For more security, you can also modify the login-shell of a dummy ftp user to something like /bin/false - which does not exist. Use following command sudo usermod -s /bin/false <username> In order to make this work you have to add /bin/false to the file /etc/shells. Or else vsftpd will generate login error when the user logs in using ftp.