Results 1 to 5 of 5

Thread: What settings are needed in the firewall to allow ftp?

  1. #1

    Default What settings are needed in the firewall to allow ftp?

    Hi Folks

    I've recently brought my operating system up to date (openSUSE 13.1 x86_64) and I'm now having problems with the firewall. I use FileZilla to connect by ftp to my websites but the firewall is preventing the data transfer. It seems to work OK with the firewall off. What settings should I use in the firewall to allow ftp through? My computer is on a LAN and my websites are hosted professionally.

    Thanks

    Schrod

  2. #2
    Join Date
    Oct 2011
    Location
    Germany (Ore Mountains)
    Posts
    459

    Default Re: What settings are needed in the firewall to allow ftp?

    You should configure your ftp client, to use "passive" ftp.
    This way the client is creating all connections. It should work, if the firewall does not block any outgoing traffic.

    Hendrik

  3. #3

    Default Re: What settings are needed in the firewall to allow ftp?

    FileZilla was configured to use passive and has been tried with active too but the data seems to be stuck behind the firewall. If I switch off the firewall, FileZilla will work in active but not reliably in passive. It logs in OK even with the firewall on but can't usually get the directory listings let alone down/upload anything.

    Still confused,

    Schrod

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: What settings are needed in the firewall to allow ftp?

    On 2014-05-17 21:36, Schrod wrote:
    >
    > FileZilla was configured to use passive and has been tried with active
    > too but the data seems to be stuck behind the firewall. If I switch off
    > the firewall, FileZilla will work in active but not reliably in passive.
    > It logs in OK even with the firewall on but can't usually get the
    > directory listings let alone down/upload anything.


    Passive mode is easy on the client firewall and difficult on the server
    firewall.

    Active mode is easy on the server firewall and difficult on the client
    firewall.

    If I got it right, I often confuse both.


    Typical susefirewal settings are:

    Code:
    FW_SERVICES_EXT_TCP="ftp ftp-data"
    
    
    FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp \
    192.168.1.0/24,tcp,ftp-data"
    
    FW_TRUSTED_NETS="192.168.1.14,tcp,ftp  \
    192.168.1.45,tcp,ftp-data"
    
    FW_LOAD_MODULES="nf_conntrack_ftp"

    Try the last one first.


    --
    Cheers / Saludos,

    Carlos E. R.

    (from 13.1 x86_64 "Bottle" (Minas Tirith))

  5. #5
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    13,295
    Blog Entries
    2

    Default Re: What settings are needed in the firewall to allow ftp?


    Passive FTP?
    How about PASV FTP instead?

    Some fundamentals...
    Unlike most other protocols, FTP requires a minimum 2 ports, the "Control" and the "Data"

    Active FTP only requires the Firewall to open the two standard ports 21 and 20.
    With PASV FTP, the same control port is uses by all clients, but each client uses a different data port. This is why PASV FTP can be difficult to setup through a FW, you either have to open a range that is always open or the FW has to be smart enough (aka "stateful inspection") to open and close data ports as needed.

    When you configure a FW like SUSE FW, you can define your FTP ports either as a configured "service" or manually open ports. When you manually open ports, the ports are always open. Although I haven't checked, with IP Tables' relatively recent announcement for support for stateful inspection I would expect that configuring the FTP service would open and close data ports as needed.

    From the client side, some clients like web browsers typically (but not always) support both Active and PASV FTP... One would be tried and fallback to the other. Personally, I try to find out what is initially supported by default and don't rely on a successful fallback.

    Other clients can be explicitly configured to use either mode or only support one mode

    HTH,
    TSU

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •