Re: Linux Passive FTP Configuration
- From: Fountain_spray <fountain_spray@xxxxxxxxx>
- Date: Thu, 10 Jul 2008 06:15:55 -0700 (PDT)
On Jul 10, 4:42 am, Pascal Hambourg <boite-a-s...@xxxxxxxxxxxxxxx>
wrote:
Hello,
Fountain_spray a écrit :
I am using RedHat Legacy Linux 7.2 on each of two servers.
Server A intends to invoke an FTP client to transfer a file to/from
the FTP daemon on Server B.
The FTP daemon is running proftpd 1.2.2.
The FTP file transfer must be done in passive mode, not active mode.
Passive FTP is problematic. The firewall must be opened to a
restricted range of high-numbered ports > 1023.
Do you mean problematic in general or problematic in your specific
situation ? Passive and active modes are equally problematic in general,
as they are symmetric.
[...]
That is, does Linux implement its own firewall in software, and could
this supercede or block the actions of the network firewall?
Linux has IP filtering capabilities. Its actions cascade with those of
the network firewall.
What is /sbin/iptables and how do I configure it? That file is in
binary.
/sbin/iptables is the userland tool used to manage the rules enforced by
the packet filter in kernels 2.4 and 2.6. Read man iptables.
What is /etc/sysconfig/ipchains and where can I learn about it? How
do I edit it? I have used vi.
/etc/sysconfig/ stuff is RedHat specific. ipchains is the old tool used
to manage the rules enforced by the packet filter in kernel 2.2.
What is the kernel version ?
Also, as we are using proftpd, modified /usr/local/etc/proftpd.conf to
add this statement:
[...]PassivePorts 8000 8299
ftp> dir
---> PASV
227 Entering Passive Mode (1xx,2x,2x,3x,15,87). (*** X's added as a
mask by me, for security.***
ftp: connect: Connection refused
I am asking our Network Firewall Administrator for a sniffer trace.
This is delayed and I cannot
Can't you do a sniffer trace on both servers ?
15*256 + 87 = 3927.
Okay, so why is this not in the range 8000 - 8299 as coded in the
PassivePorts statement?
Did you restard proftpd so the change is taken into account ?
Also, we have ping disabled. Could that be disabling
passive FTP as well?
No, they are totally unrelated.
Thank you, Pascal (Great name!), for the courtesy of your reply.
Now, replying to your replies:
1. Passive mode FTP is problematic in my specific situation.
2. So Linux IP filtering is effectively "AND'ed" with the network
firewall?
3. I am now reading man iptables. We also have man ipchains.
Reading both. I would rather these did not exist,
it complicates the task of enabling passive FTP immensely.
4. How can I tell what RH kernel I have?
5. I have not been able to get our Network Firewall Administrator to
do a sniffer trace on one server, let alone two.
I shall ask him to trace both Server A and Server B simultaneously.
6. Yes, I did restart proftpd on both Server A and Server B, and
still the PassivePort range is not used. Why?
I defined the same PassivePort range on both servers. Bad idea?
7. Glad to hear that a disabled Ping does is independent of enabling
passive FTP.
So, I am in a quandary.
If anyone has the magic bullet that will enable passive FTP, please
post.
Fountain_spray
.
- Follow-Ups:
- Re: Linux Passive FTP Configuration
- From: Pascal Hambourg
- Re: Linux Passive FTP Configuration
- References:
- Linux Passive FTP Configuration
- From: Fountain_spray
- Re: Linux Passive FTP Configuration
- From: Fountain_spray
- Re: Linux Passive FTP Configuration
- From: Pascal Hambourg
- Linux Passive FTP Configuration
- Prev by Date: Re: IPSec Linux - Longhorn one way.
- Next by Date: Re: Linux Passive FTP Configuration
- Previous by thread: Re: Linux Passive FTP Configuration
- Next by thread: Re: Linux Passive FTP Configuration
- Index(es):
Relevant Pages
|
