Since a while the vsftpd docs have pasv_min_port and pasv_min_port commented out with the message "Do NOT assign specific ports; iptables should handle this dynamically" However, this forgets that for this to happen automagically, the module ip_conntrack_ftp should be loaded and this does NOT happen transparently; it has to be compiled into the kernel or loaded from modules.autoload.d, for instance. Maybe a good idea to mention this in vsftpd.conf as well?
It's even more complicated. In fact, pasv_min_port and pasv_max_port is very useful for SSL connections, ip_conntrack_ftp doesn't handle those and you need to open the passive port range in your firewall.
Ah, so maybe that's why TLS doesn't work on my vsftpd config :-) If I understand correctly, pasv_min_port and pasv_max_port are mandatory when using SSL/TLS with passive FTP? And ip_conntrack_ftp is not needed in this case? If this is the case, then my follow-up question is about the nature of the ports when doing passive FTP. Is it OK if just one port is used for multiple connections (e.g. pasv_min_port and pasv_max_port are the same)? I read somewhere that this is possible. And if that's true, does it also apply for passive FTP in combination with SSL/TLS? Also, I was wondering whether there's a reason to go with SSL and not TLS, whether TLS should always be used, and whether it's wise to enable all of them (TLS, SSLv2 & SSLv3). Anyway, I still feel it might be a good idea to explain some of this in the config or man file... that would save people a lot of guessing and frustrations.
(In reply to comment #2) > Ah, so maybe that's why TLS doesn't work on my vsftpd config :-) > > If I understand correctly, pasv_min_port and pasv_max_port are mandatory when > using SSL/TLS with passive FTP? And ip_conntrack_ftp is not needed in this > case? No, not mandatory, but it makes it possible to limit the port range that must be opened in firewall; otherwise you'll need to open everything from 1024 above. ip_conntrack_ftp is not useful for SSL/TLS, it cannot decode the FTP traffic.
And does the same apply when SSL/TLS is used only for login (encryption of username/password) and not for data transfer?
(In reply to comment #2) > Is it OK if just one port is used for multiple > connections (e.g. pasv_min_port and pasv_max_port are the same)? I read > somewhere that this is possible. No, that's a very bad idea. You need at least one port for each passive client, so if allow 50 clients e.g., you need 50 ports available at minimum. However, bugzilla is a bad place to discuss this, direct your questions to forums.g.o. or #gentoo. > Anyway, I still feel it might be a good idea to explain some of this in the > config or man file... that would save people a lot of guessing and > frustrations. Sure, but such requests should go upstream, we didn't write vsftpd.
I don't think we need to update the default conf file with this. As Jakub says, report your issue upstream if you think the conf file should be updated. Thanks