Re: [SLE] susefirewall2 and ftp

On Thu, 2005-12-08 at 10:40 -0500, Damon Register wrote:
> wavesurf@xxxxxxxxx wrote:
> > Maby you will look here to see what the problem is;
> >
> > [gerritjanftp] FTP response: Client "123.123.123.123", "227 Entering Passive
> Isn't that the key? You are using passive mode. I must be missing something
> here. I have been using vsftpd for a few years with SuSE and never had this
> much trouble. I too have two NICs and am using SuSEfirewall2 to make the
> computer a NAT router for my home net and even in a lab at work. Like you
> I am using vsftpd. I am certainly no ftp expert but I believe that passive
> mode uses other high ports and I think I remember they are randomly selected.
> For that reason I use ftp only in active mode in order to avoid that issue
> with the firewall. You are getting connected so the firewall is letting you
> use the port 21. I have no idea how to get the firewall to deal with the
> other high ports used for passive so that is why I stayed with the active
> mode. With some clients that I use, I have to set the option for active
> mode only.
>
> As a side point, I haven't seen anyone mention tampering with
> /etc/sysconfig/SuSEfirewall2. That's where I always go to tamper with
> things not covered by YaST
>
> Damon Register
>
The high port option that I used in Suse 7 8 has or will soon be
depreciated in SuSEFirewall2.

It is still available in the file /etc/sysconfig/SuSEFirewall2 but it
didn't seem to make much difference here. BUt you can try it,

FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"

Thats why I did not mention it earlier, but what I posted earlier should
work, also If you can turn off masquerade networks,


Chadley



--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx

Relevant Pages

  • Re: Iptables Clues and Advices.
    ... REJECT on the High ports. ... My firewall is constantly being tweaked and I have ... Is SPAM over-loading your e-mail server, ... SurfControl E-Mail Filter is flexible, ...
    (Security-Basics)
  • Re: Firewall output
    ... # Custom /etc/sysconfig/SuSEfirewall2 ... The high ports from the outside ARE allowed, ... If you are running Samba, ... All sorts of pinging of your firewall has been disabled (from the inside ...
    (alt.os.linux.suse)
  • Re: routed RIS server
    ... A customer asked me to figure out why ris isn’t working and the problem is called routed network. ... There is a network with multiple vlan’s those vlans are securely connected via an firewall. ... When we start a RIS session it starts and after that it will try to start a connection on High ports, ...
    (microsoft.public.windowsxp.setup_deployment)
  • Re: How secure is webmin?
    ... David Yan wrote: ... > I may be wrong but I think it is so that you can firewall it properly ... > because the high ports are normally open. ... statfule inspection on a ZyXEL Z100. ...
    (comp.os.linux.security)