看pure-ftpd配置文件 PassivePortRange 20000 40000
而防火墙只开了39000-40000的端口。
问题在这里。我们只要将配置文件里的端口区间和防火墙的端口区间对应,改为相同值就行了,至少要给PassivePortRange 100个端口,设置完后记着重启pure-ftpd
—
高级用户可以看下面的内容和考虑
In active mode the server initiates a connection to a client defined ip address, so the server has no way of affecting the port number being used. In this case you don’t need to open other incoming ports than 21 because the server initiates the data connection towards the client.
In passive mode the client opens a connection to a server defined port, and that’s the spot where passive port range comes into play. Server chooses a free port within the range and hands it to the client. This of course means that the entire port range needs to be open in the server firewall, which has security implications.
Linux has a neat feature to mitigate the effects of opening a large port range for passive FTP – iptables connection tracking. To take advantage of it, you need to make sure ip_conntrack_ftp module is loaded, and then you can permit traffic like this # iptables -A your_chain -i your_iface -m state --state RELATED -m helper --helper ftp -j ACCEPT (you could include your port range if necessary). That tells iptables to accept related connections managed by conntrack FTP helper. So, if any other service would be listening on a socket in your passive port range, iptables would deny access to the port because it cannot recognize it being FTP related.