I was monitoring some ftp browsing and noticed that for each directory I clicked a new pasv command was sent to the ftp server.
This meant that a new tcp connection was created on a new port every time I requested a directory.
To ensure smooth browsing I have to allow a few new tcp connections per second in iptables.
Is this how the protocol was built, or do I have vsftpd set up wrong?
This is default behavior for many FTP daemons, which allows for unique ports to be opened for file transfers, to keep port 20/21 open to allow new connections. You can configure a 'port range' in the vsftpd.conf then add the entire range to iptables to be allowed. The other option, is to disable PASV transfers in the client, and make it use 20/21 for data transfer as well, but I wouldn't recommend it.
NAT environments, and a few other things can have problems with 'Active only' connections.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.
