[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Firewall issues with setting up vsftp server



Terry,
Did you get this working?
FTP protocol uses port 21 for the control connection (sending commands like cd, mkdir, etc...) and also uses port 20 for the data connection in "active mode". There was a problem using active mode; the server makes the data connection back to the client. As soon as firewalls were invented to protect the "client" machines everyones ftp data sessions wouldn't work. So enters Passive (PASV) ftp mode. In passive mode the server selects and tell the client machine a random high number port to connect to for the data session. Your data connections are timing out because the firewall isn't open on those random high number ports. There is an IPtabels kernel module maintain passive ftp state. try doing an 'insmod ftp_conntrack_ftp' and see if it helps.
good luck,
chrisj


Terry Linhardt wrote:

I am attempting to set up an ftp server on an internal network. (All hosts are 192.168.1.*) I am using vsftp, but stumbling over an iptables related issue. Also, this is Fedora Core 3.

vsftp is running as a stand-alone daemon. I used the "security level" icon to permit ftp traffic on the server. At that point I CAN connect from a remote client to the ftp server. I can login properly. I can cd to a directory of choice. However, as soon as I try to download data (or even do an ls), I get a message of "entering passive mode" and then "no route to host" error message. This problem can be eliminated by going to /etc/rc.d/init.d and doing an "iptables stop", which turns off all firewall features. However as soon as I reactivate the iptables I once again get the "no route to host" message when I try to transfer data.

I am guessing that I am getting blocked by a closed port. I've done some research, and generally understand the concept, but don't understand how to get past what appears to be a closed port issue without opening up a large range of ports. While that may not be distasteful on my private network, it is not desirable if I eventually make this machine available to the outside world.

Any guidance would be appreciated.

Thanks...Terry



--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]