Return to Answer

You are using the active mode of FTP to connect to a server running Pure-FTPd. In the active mode, a server has to connect back to a client to open a data transfer connection (for file transfers or directory listing). For that, the client sends its IP address to the FTP server in the PORT command.

If the FTP server is outside of the GCE private network, it obviously cannot connect back to the client machine, as the machine is behind a firewall and NAT.

And actually the Pure-FTPd explicitly checks that the IP address in the PORT command matches the client IP address of the FTP control connection. It won't match, if the client sends its internal IP address within the GCE network. If this case, the Pure-FTPd server rejects the transfer outright (without even trying to connect) with the error message, you are getting:

I won't open a connection to ... (only to ...)

(where the first ... is the IP address provided by the client in the PORT command [the local address within the GCE private network), and the second ... is the external [NATed] IP address of the client, as known by the server).

Even if the client reported the external [NATed] address in the PORT command, it still won't work as the connection attempt won't get past the NAT and firewall.

For this reason, the passive FTP mode exists, in which the client connects to the server to open the data transfer connection. Actually, noone uses the active mode nowadays.

See (my article) FTP connection modes for details about the modes.

So, switch to the passive mode. How this is done is client-specific.

• In most common *nix ftp command-line clients, use the -p command-line switch, though the passive mode is used by default anyway:

  -p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server sup- port the PASV command. This is the default now for all clients (ftp and pftp) due to security concerns using the PORT transfer mode. The flag is kept for compatibility only and has no effect anymore.

• Some clients also support passive command.

• If you are on Windows, you cannot use the built-in command-line ftp.exe client, as it does not support the passive mode at all. You have to install a third-party client. See How to use passive FTP mode in Windows command prompt?

You are using the active mode of FTP to connect to a server running Pure-FTPd. In the active mode, a server has to connect back to a client to open a data transfer connection (for file transfers or directory listing). For that, the client sends its IP address to the FTP server in the PORT command.

If the FTP server is outside of the GCE private network, it obviously cannot connect back to the client machine, as the machine is behind a firewall and NAT.

And actually the Pure-FTPd explicitly checks that the IP address in the PORT command matches the client IP address of the FTP control connection. It won't match, if the client sends its internal IP address within the GCE network. If this case, the Pure-FTPd server rejects the transfer outright (without even trying to connect) with the error message, you are getting:

I won't open a connection to ... (only to ...)

(where the first ... is the IP address provided by the client in the PORT command [the local address within the GCE private network), and the second ... is the external [NATed] IP address of the client, as known by the server).

Even if the client reported the external [NATed] address in the PORT command, it still won't work as the connection attempt won't get past the NAT and firewall.

For this reason, the passive FTP mode exists, in which the client connects to the server to open the data transfer connection. Actually, none uses the active mode nowadays.

See (my article) FTP connection modes for details about the modes.

So, switch to the passive mode. How this is done is client-specific.

• In most common *nix ftp command-line clients, use the -p command-line switch, though the passive mode is used by default anyway:

  -p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server sup- port the PASV command. This is the default now for all clients (ftp and pftp) due to security concerns using the PORT transfer mode. The flag is kept for compatibility only and has no effect anymore.

• Some clients also support passive command.

• If you are on Windows, you cannot use the built-in command-line ftp.exe client, as it does not support the passive mode at all. You have to install a third-party client. See How to use passive FTP mode in Windows command prompt?

You are using the active mode of FTP to connect to a server running Pure-FTPd. In the active mode, a server has to connect back to a client to open a data transfer connection (for file transfers or directory listing). For that, the client sends its IP address to the FTP server in the PORT command.

If the FTP server is outside of the GCE private network, it obviously cannot connect back to the client machine, as the machine is behind a firewall and NAT.

And actually the Pure-FTPd explicitly checks that the IP address in the PORT command matches the client IP address of the FTP control connection. It won't match, if the client sends its internal IP address within the GCE network. If this case, the Pure-FTPd server rejects the transfer outright (without even trying to connect) with the error message, you are getting:

I won't open a connection to ... (only to ...)

(where the first ... is the IP address provided by the client in the PORT command [the local address within the GCE private network), and the second ... is the external [NATed] IP address of the client, as known by the server).

Even if the client reported the external [NATed] address in the PORT command, it still won't work as the connection attempt won't get past the NAT and firewall.

For this reason, the passive FTP mode exists, in which the client connects to the server to open the data transfer connection. Actually, noone uses the active mode nowadays.

See (my article) FTP connection modes for details about the modes.

So, switch to the passive mode. How this is done is client-specific.

• In most common *nix ftp command-line clients, use the -p command-line switch, though the passive mode is used by default anyway:

  -p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server sup- port the PASV command. This is the default now for all clients (ftp and pftp) due to security concerns using the PORT transfer mode. The flag is kept for compatibility only and has no effect anymore.

• Some clients also support passive command.

You are using the active mode of FTP to connect to a server running Pure-FTPd. In the active mode, a server has to connect back to a client to open a data transfer connection (for file transfers or directory listing). For that, the client sends its IP address to the FTP server in the PORT command.

If the FTP server is outside of the GCE private network, it obviously cannot connect back to the client machine, as the machine is behind a firewall and NAT.

And actually the Pure-FTPd explicitly checks that the IP address in the PORT command matches the client IP address of the FTP control connection. It won't match, if the client sends its internal IP address within the GCE network. If this case, the Pure-FTPd server rejects the transfer outright (without even trying to connect) with the error message, you are getting:

I won't open a connection to ... (only to ...)

(where the first ... is the IP address provided by the client in the PORT command [the local address within the GCE private network), and the second ... is the external [NATed] IP address of the client, as known by the server).

Even if the client reported the external [NATed] address in the PORT command, it still won't work as the connection attempt won't get past the NAT and firewall.

For this reason, the passive FTP mode exists, in which the client connects to the server to open the data transfer connection. Actually, noone uses the active mode nowadays.

See (my article) FTP connection modes for details about the modes.

So, switch to the passive mode. How this is done is client-specific.

• In most common *nix ftp command-line clients, use the -p command-line switch, though the passive mode is used by default anyway:

  -p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server sup- port the PASV command. This is the default now for all clients (ftp and pftp) due to security concerns using the PORT transfer mode. The flag is kept for compatibility only and has no effect anymore.

• Some clients also support passive command.

• If you are on Windows, you cannot use the built-in command-line ftp.exe client, as it does not support the passive mode at all. You have to install a third-party client. See How to use passive FTP mode in Windows command prompt?

You are using an active mode of FTP. In the active mode, a server connects back to a client to open a data transfer connection (for file transfers or directory listing)

If the FTP server is outside of the GCE private network, it obviously cannot connect back to your machine.

For this reason, a passive mode exists, in which the client connects to the server to open the data transfer connection.

So, switch to the passive mode. How this is done is client-specific.

• In most common *nix ftp command-line clients, use a -p command-line switch, though the passive mode is used by default anyway:

  -p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server sup- port the PASV command. This is the default now for all clients (ftp and pftp) due to security concerns using the PORT transfer mode. The flag is kept for compatibility only and has no effect anymore.

• Some clients also support passive command.

See (my article) FTP Connection Modes for details about the modes.

You are using the active mode of FTP to connect to a server running Pure-FTPd. In the active mode, a server has to connect back to a client to open a data transfer connection (for file transfers or directory listing). For that, the client sends its IP address to the FTP server in the PORT command.

If the FTP server is outside of the GCE private network, it obviously cannot connect back to the client machine, as the machine is behind a firewall and NAT.

And actually the Pure-FTPd explicitly checks that the IP address in the PORT command matches the client IP address of the FTP control connection. It won't match, if the client sends its internal IP address within the GCE network. If this case, the Pure-FTPd server rejects the transfer outright (without even trying to connect) with the error message, you are getting:

I won't open a connection to ... (only to ...)

(where the first ... is the IP address provided by the client in the PORT command [the local address within the GCE private network), and the second ... is the external [NATed] IP address of the client, as known by the server).

Even if the client reported the external [NATed] address in the PORT command, it still won't work as the connection attempt won't get past the NAT and firewall.

For this reason, the passive FTP mode exists, in which the client connects to the server to open the data transfer connection. Actually, noone uses the active mode nowadays.

See (my article) FTP connection modes for details about the modes.

So, switch to the passive mode. How this is done is client-specific.

• In most common *nix ftp command-line clients, use the -p command-line switch, though the passive mode is used by default anyway:

  -p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents connections from the outside world back to the client machine. Requires that the ftp server sup- port the PASV command. This is the default now for all clients (ftp and pftp) due to security concerns using the PORT transfer mode. The flag is kept for compatibility only and has no effect anymore.

• Some clients also support passive command.