Firewall And Active Ftp

Hello all,

I have a problem with trasferring some files via ftp from a server.

The problems seems to be that the server does not allow passive ftp; on the other hand, my machine - the client - does not allow active ftp when the default firewall rules are active (see, for instance here)

My solution at the moment is to enable active ftp by setting this variable in file /etc/sysconfig/SuSEfirewall2:

Quote:

FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"[/b]

However, the comments in that file about this kind of settings are the following:

Quote:

# Note: Use of this variable is deprecated and it will likely be
# removed in the future. If you think it should be kept please
# report your use case at
# http://forge.novell.com/modules/xfmo...?susefirewall2[/b]

Actually, I do not need to always use active ftp: I only need it for that specific server. So, it would be nice if I found an alternative way other than indiscriminate opening unprotected ports (above 1023) for ftp connections with any of server.

Since I'm quite new in configuring the firewall, I'm wondering whether somebody has some suggestions on how to allow active ftp with a specific IP address only (i.e., with the address of the server I was mentioning).


Thanks.

Vincenzo

vsftpd supports passive mode, look at the option pasv_enable= in /etc/vsftpd.conf

also you migh wanna load some NAT modules if you're behind a firewall... they are ip_conntrack_ftp and ip_nat_ftp

also, take a look here: http://www.linuxquestions.org/questions/sh...ad.php?t=200318

Quote:

vsftpd supports passive mode, look at the option pasv_enable= in /etc/vsftpd.conf

also you migh wanna load some NAT modules if you're behind a firewall... they are ip_conntrack_ftp and ip_nat_ftp

also, take a look here: http://www.linuxquestions.org/questions/sh...ad.php?t=200318
[/b]

Hmmm, not sure how vsftp would help in this case: as I understand it, it's the server to where I want to connect that forbids passive ftp, not my machine.

In other words, the server from where I want to download the data I need, refuses to open ports above 1024 for data transfer, after the initial connection to port 20 or 21 (I believe that is what is called "passive ftp", correct?).

On the other hand, because of the default settings of firewall in openSUSE 10.2, my laptop too refuses to open ports above 1024 for data transfer (that should be "active ftp").

Now, I cannot ask the administrator of that remote server to change their policy, so I had to gave way, and allow ftp-data connections to high ports on my laptop, the way I explained in my original post.

But perhaps I misunderstood your suggestions. If so, my apologies: once more, I'm quite new about this kind of security issues. Can you please elaborate a bit more?

Vincenzo

ahh i misunderstood your original post.... so the remote server is running in passive mode, not your local FTP server (if you have one).. I'm not sure how the SUSE firewall can forbid data transfers above port 1024, i have no issues with it here.... i can run successfully torrents (= data transfers) above port 1024

dunno really how to solve your problem though, i have to look on this one myself

Quote:

ahh i misunderstood your original post.... so the remote server is running in passive mode, not your local FTP server (if you have one).. I'm not sure how the SUSE firewall can forbid data transfers above port 1024, i have no issues with it here.... i can run successfully torrents (= data transfers) above port 1024

dunno really how to solve your problem though, i have to look on this one myself
[/b]

Well, in fact I do not run a server. I am merely trying to get in sync with a large repository of scientific software I need for my job.

Thanks for looking into this problem, though.

Just in case, here is the firewall setup as specified in /etc/sysconfig/SuSEfirewall2 (non null settings only, and MAC addresses removed):

Quote:

FW_DEV_EXT="any eth-.. wlan-..."
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="ssh"
FW_SERVICES_EXT_UDP="ipp ntp"
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_BROADCAST_EXT="ipp ntp"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_REJECT_INT="yes"
FW_IPSEC_TRUST="no"[/b]

As I said, setting the right value to FW_ALLOW_INCOMING_HIGHPORTS_TCP did the trick, but some think it's a security issue. That's why the default value is the null string in openSUSE 10.2, I believe.

I also tried setting FW_TRUSTED_NETS, to no avail...


Cheers,

Vincenzo

Quote:

On the other hand, because of the default settings of firewall in openSUSE 10.2, my laptop too refuses to open ports above 1024 for data transfer (that should be "active ftp").[/b]

no it does not. with ports > 1024 closed you would not be able to connect to the internet at all.

Quote:

no it does not. with ports > 1024 closed you would not be able to connect to the internet at all.
[/b]

That may well be true, broch, but I did not state that my laptop has all ports>1024 closed.

I only stated that my laptop does not open the necessary (dynamical) high port required for an active ftp transaction.

Well, of course, I may have in mind a wrong definition of active ftp, and so I may have diagnosed the problem incorrectly.

So, if you have a better definition of active ftp, or a better idea of what kind of problem I am experiencing, I would very much like to hear it

Vincenzo

I am sorry for the mistake.
Can you point t the ftp server that is causing you this trouble?

Quote:

I am sorry for the mistake.
Can you point t the ftp server that is causing you this trouble?
[/b]

I'm afraid I am not allowed to post this kind of information on a public forum :angry: I too would love to know why that server is so "unfriendly".

On the bright side (for me), I found out that the other mirror site for the same software repository does allow passive ftp connections. So I no longer need to change the configuration of the firewall.

I am still curious, though, whether it's actually possible to configure the firewall of my machine (the client) so that it only uses passive ftp connections, except for a specific set of (troublesome) servers.

Just a theoretical question for me now, but perhaps it might be of interest for others too (I've found some complaints on the default closure of active ftp connections in openSUSE>10 here)


Vincenzo