Forum Discussion

PInkFloyd's avatar
PInkFloyd
Icon for Nimbostratus rankNimbostratus
Mar 23, 2021

Passive FTP using FTP profile

Hi Community,   I have an F5 Big-IP 16.0.1.1 running on AWS with a FTP server behind running vsftpd. The idea is balance passive ftp publically. So, clients should hit public IP of the F5 for pa...
AWS
BIG-IP
cloud
ftp
passive
profile
security
Daniel_Wolf's avatar
Daniel_Wolf
Icon for MVP rankMVP

Can you share your config? This works for me out of the box.

I am using the default FTP profile.

root@(ffive01)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile ftp ftp
ltm profile ftp ftp {
    app-service none
}

I have a virtual listening on port 21 and the following iRule attached.

when SERVER_CONNECTED {
  FTP::port 40000 40200
}

And this is my vsftpd.conf

listen=NO
listen_ipv6=YES
xferlog_enable=YES
secure_chroot_dir=/var/run/vsftpd/empty
anonymous_enable=NO
local_enable=YES
write_enable=YES
chroot_local_user=YES
user_sub_token=$USER
local_root=/home/$USER/ftp
pasv_min_port=40000
pasv_max_port=40200
userlist_enable=YES
userlist_file=/etc/vsftpd.userlist
userlist_deny=NO

No issues at all, see tcpdump.

 

PInkFloyd's avatar
PInkFloyd
Icon for Nimbostratus rankNimbostratus
Mar 24, 2021

Hi Daniel,

First thanks for share this information with me.

I duplicate your configs, just to prevent missconfigurations.

Here is my config.

admin@(TESTING01)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm profile ftp ftp
ltm profile ftp ftp {
    app-service none
}

FTP config

listen=NO
listen_ipv6=YES
local_enable=NO
anonymous_enable=YES
write_enable=NO
anon_root=/ftp/test
xferlog_enable=YES
dual_log_enable=YES
log_ftp_protocol=YES
vsftpd_log_file=/ftp/logs/vsftpd.log
xferlog_file=/ftp/logs/xferlog.log
pasv_min_port=40000
pasv_max_port=40200
anon_umask=022
banner_file=/etc/vsftpd/banner.txt

VIP config ( config not listed below has been kept as default)

source address: any
destination address: any
Service Port: 21 ftp
Protocol: tcp
ftp profile: ftp
Vlan and Tunnel traffic: all VLANs and tunnels
Source Address Translation: auto map
Address translation: enabled
port translation: enabled
Default Pool: FTP POOL

I've created an FTP monitor that retrieves a file on the ftp server , attach it to the ftp pool and its working ok.

The issue start when a remote source (whitelisted to access) connects to the FTP using the F5 public ip, everything looks good until the remote source request PASV

if my ftp pool member is configured with it Public IP, the error recieved after PASV is 

421 Service not available, remote server has closed connection
Passive mode refused.

If my FTP pool member is configured using its private IP, the client receives ( "227 Entering Passive Mode (private VIP ip , Ephemeral Port ")

obviously can not be resolved by the remote source.

I downloaded an Irule that i found in this forum, that preserve ephemeral ports and i modified it to sent (no matter what) the public IP of the F5 when pasv is requested ( keeping the ephemeral port as it is) but again "passive mode refused" )

I've tried another combinations like use "pasv_address" on the ftp server, pointing to the F5 public & private IP, but only works if I point to Public Ip Address of the F5 and remove the ftp profile from the VIP.