Re: Linux Passive FTP Configuration
- From: Fountain_spray <fountain_spray@xxxxxxxxx>
- Date: Wed, 9 Jul 2008 12:44:43 -0700 (PDT)
On Jul 9, 3:29 pm, Fountain_spray <fountain_sp...@xxxxxxxxx> wrote:
Hello,
I am using RedHat Legacy Linux 7.2 on each of two servers.
Server A intends to invoke an FTP client to transfer a file to/from
the FTP daemon on Server B.
The FTP daemon is running proftpd 1.2.1.
The FTP file transfer must be done in passive mode, not active mode.
Passive FTP is problematic. The firewall must be opened to a
restricted range of high-numbered
ports > 1023.
Okay, here is what I have done, and passive FTP still does not work.
Why?
1. Made sure our network firewall allows access to the FTP daemon
port 21 from anywhere.
2. Made sure the FTP daemon port 21 is allowed to talk to ports >
1023.
3. Made sure FTP daemon ports > 1023 are open to use from anywhere.
4. FTP daemon ports > 1023 are allowed access to remote ports > 1023.
Actually, I cannot confirm 1 thru 4, as I have to rely on the word of
our Network Firewall Administrator, who claims these actions or their
equivalent, are in effect. Not sure what he
means by equivalent.
Reading prior postings regarding passive FTP on this group
comp.os.linux.networking, I have
learned that certain actions may need to be taken within Linux itself.
That is, does Linux implement its own firewall in software, and could
this supercede or block
the actions of the network firewall?
What is /sbin/iptables and how do I configure it? That file is in
binary.
What is /etc/sysconfig/ipchains and where can I learn about it? How
do I edit it? I have used vi.
One posting suggested adding this line to ipchains and claimed
success. Alas, not in my case.
-A input -s serverIPaddress 20 -d 0/0 -p tcp -j ACCEPT
before this ipchains statement:
-A input -s 0/0 -d 0/0 -p tcp -y -j REJECT
Did so, it had no effect.
Also, as we are using proftpd, modified /usr/local/etc/proftpd.conf to
add this statement:
PassivePorts 8000 8299
and this too has not helped.
From Server A, I logon via FTP client successfully to FTP daemon on
Server B. This is
evidenced by receiving the results of a dir command when Not in
passive mode.
Once I toggle passive mode (and in FTP debug mode this shows ---> PASV
to confirm),
get this error:
ftp> dir
---> PASV
227 Entering Passive Mode (1xx,2x,2x,3x,15,87). (*** X's added as a
mask by me, for security.***
ftp: connect: Connection refused
I am asking our Network Firewall Administrator for a sniffer trace.
This is delayed and I cannot
wait.
From another posting, I have learned that the Passive mode IP address
last two numbers
(15,87) shows the daemon's passive port number, calculated as follows:
15*256 + 87 = 3927.
Okay, so why is this not in the range 8000 - 8299 as coded in the
PassivePorts statement?
I would be much obliged for any assistance.
Thank you.
Fountain_spray
This is the author again. Our proftpd is 1.2.2 not 1.2.1. Also, we
have ping disabled. Could that be disabling
passive FTP as well? How can we enable passive FTP while keeping ping
disabled (for security reasons)?
Thanks.
Fountain_spray
.
- Follow-Ups:
- Re: Linux Passive FTP Configuration
- From: Pascal Hambourg
- Re: Linux Passive FTP Configuration
- References:
- Linux Passive FTP Configuration
- From: Fountain_spray
- Linux Passive FTP Configuration
- Prev by Date: Re: IPSec Linux - Longhorn one way.
- Next by Date: Debugging bridge behavior
- Previous by thread: Linux Passive FTP Configuration
- Next by thread: Re: Linux Passive FTP Configuration
- Index(es):
Relevant Pages
|
