From HostThyself

Error symptom:
vsftpd is installed and running on a CentOS 4.4 server. You are able to login using an user account and password. However the ftp client is unable to list the target directory and reported an error.

The background for this error is this

• You are accessing the FTP server using an FTP client behind a router or NAT.
• Passive FTP is required in this case, however you have firewall blocking most other ports
• vsftpd is not configured to allow to passive connection

Solution:

• Enable passive connection (on by default)
• Enable ftp-data
• Setup port range in vsftpd
• Open up ports on firewall for passive connection

[edit] vsftpd.conf

• Configuration file is in /etc/vsftpd/vsftpd.conf
• Enable connection from ftp-data

connect_from_port_20=YES

• pasv_enable — When enabled, passive mode connects are allowed. The default value is YES.

pasv_enable=YES

• You may want to setup a range of ports so that you can specifically open via the firewall. Two values are required
  • pasv_max_port — Specifies the highest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
    

The default value is 0, which does not limit the highest passive port range. The value must not exceed 65535.

• • pasv_min_port — Specifies the lowest possible port sent to the FTP clients for passive mode connections. This setting is used to limit the port range so that firewall rules are easier to create.
    

The default value is 0, which does not limit the lowest passive port range. The value must not be lower 1024.

For example

pasv_max_port=33333
pasv_min_port=30000

[edit] Firewall configuration

• In the iptable configuration, add the following

-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --sport 20 --state NEW -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp -m state --dport 30000:33333 --state NEW -j ACCEPT

[edit] Reference

• vsftpd Configuration Options