Re: allowing passive FTP from the outside

From: Justin Zygmont (jzygmont_at_solarflow.net)
Date: 04/03/05

  • Next message: Andy Green: "Re: Need a hand getting php started." 
    Date: Sun, 3 Apr 2005 00:06:19 -0800 (PST)
To: Robert Slade <fedora@bathnetworks.com>

    On Sun, 3 Apr 2005, Robert Slade wrote:

    > On Sat, 2005-04-02 at 22:33, Justin Zygmont wrote:
    >> On Sat, 2 Apr 2005, Markku Kolkka wrote:
    >>
    >>> Justin Zygmont kirjoitti viestissään (lähetysaika lauantai, 2.
    >>> huhtikuuta 2005 12:23):
    >>>> I know the problem is because a nonexistent iptables rule, i'm
    >>>> just at a loss as to what the missing rules should look like.
    >>>> The only thing that is different in this case is that I need
    >>>> to use port 221 for FTP instead of 21,
    >>>
    >>> That's what breaks everything. The FTP control connection must be
    >>> on server port 21. Using a different port violates RFC 959 and
    >>> ip_conntrack_ftp doesn't watch any other port for FTP traffic.
    >>
    >> are you sure ftp_conntrack is even needed? I thought that's usually used
    >> just for stateful routing through a server, and not to connect to one from
    >> the outside. Also when I shut iptables down, it works, I can get a ftp
    >> listing.
    >>
    >> ______________________________________________________________________
    > Yes it does. ftp_contrack etc monitors the trafic on port 21 and
    > dynamically opens the higher no (data) ports that the control on port 21
    > asks for. Turning off iptables just opens all the ports.
    >
    > If you are using vsftp, then you can set the ports used by passive ftp
    > and then open them in iptables, but this is a risk as they can be
    > abused. This may be possible with other ftp servers.

    then wouldn't this mean that FTP on regular port 21 would not work at all
    unless you had ftp_conntrack loaded? Because i've ran FTP servers before
    without it, and it worked fine. Do you happen to remember this option in
    vsftpd? I don't recall seeing it.

    Thanks for the replies everyone.. 

    


    -- 
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
  • Next message: Andy Green: "Re: Need a hand getting php started."

    Relevant Pages

    • Re: New IPFW Setup.
      ... > Here is the ruleset I currently use on all the servers. ... Please don't mail freebsd-ipfw with questions about ipfw usage. ... This way any service loaded in a non-privileged port ... for FTP to work. ...
      (freebsd-questions)
    • Problem with FTP and firewall
      ... when I wanted to allow the access to a service I was opening that port ... The problem is with FTP, i thought that using passive was the solution ... The problem is that I am seeing that ftp servers in passive mode don't ... the ftp connection starts with iptables, or some kind of module to be ...
      (comp.os.linux.networking)
    • Re: Iptables FTP question
      ... > My version of IPTABLES is: ... Active connection will have a high numbered port on the client, ... connection of the FTP protocol. ...
      (comp.security.firewalls)
    • Re: FTP Setup
      ... It is listening on port 21: ... Could be you need to open a doorway for FTP in your firewall. ... You probably should check what's going on with iptables: ... Maybe your ISP blocks that port and you'll have to choose ...
      (comp.os.linux.setup)
    • Re: FTP Setup
      ... It is listening on port ... Could be you need to open a doorway for FTP in your firewall. ... You probably should check what's going on with iptables: ... Maybe your ISP blocks that port and you'll have to choose ...
      (comp.os.linux.setup)