Points that stuck when using passive with FTP in ec2

This is Ito from the infrastructure team.

When I had the opportunity to use FTP (vsftpd) passively on an ec2 instance, I had trouble establishing FTP communication, so
I would like to introduce some points to keep in mind.

vsftpd was an abbreviation for Very Secure FTP Daemon.

Not just security groups

I think most people use security groups to control the ec2 firewall.

The process is to use a security group to allow only IP addresses that use FTP.
Also, when using passive with FTP, you also need to open the passive port in the security group.

Like this

And I will also set it on the vsftpd side.
This is the setting of the port used passively.

# vim /etc/vsftpd/vsftpd.conf pasv_enable=YES pasv_min_port=60000 pasv_max_port=60030

However, this alone is not enough to connect. . .

Communication when vsftpd is passive in ec2

ec2 basically doesn't know about public IPs.
When I run ifconfig, only the local IP is returned.

This means that passive communication is performed using the local IP of the ec2 instance.
The FTP connection will fail, saying something like ` `FTP communication is possible, but passive communication is not possible, so I can't list the directory.''

To resolve this, you can set the IP address for passive communication to vsftpd.
It's like this.

# vim /etc/vsftpd/vsftpd.conf pasv_address=<public IP>

FTP is fine! !