FTP Passive mode via SuSeFirewall

HI!
I’ve got problems uploading files to a remote FTP server using passive mode with enabled SuSeFirewall2 (Using 11.2)
I’ve disabled Firewall and everything went ok. Why firewall disables or terminates OUTGOING connections to a remote FTP?? WTF?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The default firewall does not prevent outbound connections at all so make
sure you have not modified anything. I think every FTP transfer I’ve done
from my OpenSUSE 11.2 or SLED (10 or 11) workstation/laptop has been
Passive by default and they work with the default firewall in place.
Getting the output of the following command may show us how your rules are
setup:

sudo /usr/sbin/iptables-save

Good luck.

On 02/28/2010 04:06 PM, no-way wrote:
>
> HI!
> I’ve got problems uploading files to a remote FTP server using passive
> mode with enabled SuSeFirewall2 (Using 11.2)
> I’ve disabled Firewall and everything went ok. Why firewall disables or
> terminates OUTGOING connections to a remote FTP?? WTF?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLiwVhAAoJEF+XTK08PnB5YyEQAMEYic5w+/4EJ7xXxzwIF5F3
9BY/yRWY/xzQgc/LDYgPtcNYLdei72rG2bqSB3PAfqbo97pFmDDf5RfQHx/2FzyC
JltNiQZBlxDzjQqylVg/+hI/umDPKwbMQnOY2/o2uATb142oeVV1F0jMEHAjYlTg
UMtAYFQW9xxezFlreEZyWh8KrV4bMnCrIqiDwKLT/8tjAKQaragmvsM3B2Y4WHV4
ItY+qoJ7fMVUahlGy7WCHZB1Ku+oC4iwnGxJflCSXx29z0bKVP7+MPTeF7lS4Bas
T8vOdYeGpJLvLAM1I62rPzp3s3Rgvi5yZsjX8QA5TtJyPuUI/6OQwkAzZ67XS91Q
8Yk0VfzbqHvsR1TeIlSobJPosh2OGZ1GClPhaVmSJ0/nSB+kwMIuLq37bN6sAP6Z
YaZNEwUyCLStmTRiSosxI6cCPo0UPxqdMWSyipFglNe/xBjViqmRHpbG4+NQUAsM
0aZtEY1svlJ2PEUA1uwN/6LLS3axzopc1WP1UwLzmCsLZZoV1JJ4lPb4eIO/OejG
Isr6aBXZGhHpbu+vppPcUniGSC8dsNoB8Vbh5leNPms2WCTYUe6vtBl/6B1xwiuK
YxUkOJGVIVaJAbbAQOIEdFbj6VYsNgiqzVCSoRNtCBjUzPQkQk48a7ZrJNTN7hui
wRd9fmzxrtz5Md6J6j2T
=mtY8
-----END PGP SIGNATURE-----

I ve got vsftpd running on a local machine. Still the problem in connection to ANOTHER FTP outside! Win7 is connecting, but Suse…)

Here is what Ive got:


unknown:/home/noway # iptables-save 
# Generated by iptables-save v1.4.4 on Mon Mar  1 19:06:07 2010
*raw                                                           
:PREROUTING ACCEPT [10334:10624162]                            
:OUTPUT ACCEPT [8748:1055476]                                  
-A PREROUTING -i lo -j NOTRACK                                 
-A OUTPUT -o lo -j NOTRACK                                     
COMMIT                                                         
# Completed on Mon Mar  1 19:06:07 2010                        
# Generated by iptables-save v1.4.4 on Mon Mar  1 19:06:07 2010
*filter                                                        
:INPUT DROP [0:0]                                              
:FORWARD DROP [0:0]                                            
:OUTPUT ACCEPT [5:200]                                         
:forward_ext - [0:0]                                           
:input_ext - [0:0]                                             
:reject_func - [0:0]                                           
-A INPUT -i lo -j ACCEPT                                       
-A INPUT -m state --state ESTABLISHED -j ACCEPT                
-A INPUT -p icmp -m state --state RELATED -j ACCEPT            
-A INPUT -i eth0 -j input_ext                                  
-A INPUT -i wlan0 -j input_ext                                 
-A INPUT -i wmaster0 -j input_ext                              
-A INPUT -j input_ext                                          
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options 
-A INPUT -j DROP                                                                                             
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options 
-A OUTPUT -o lo -j ACCEPT                                                                                        
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT                                                     
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options        
-A input_ext -m pkttype --pkt-type broadcast -j DROP                                                             
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT                                                             
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT                                                             
-A input_ext -p tcp -m state --state RELATED -j ACCEPT
-A input_ext -p tcp -j ACCEPT
-A input_ext -p udp -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 19176 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 19176 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9176 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 9176 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 21 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 30000:30100 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 30000:30100 -j ACCEPT
-A input_ext -p udp -m udp --dport 19176 -j ACCEPT
-A input_ext -p udp -m udp --dport 9176 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Mon Mar  1 19:06:07 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Your rule shows nothing in the way. What about on your server side? Is
windows using passive by default?

Good luck.

On 03/01/2010 09:16 AM, no-way wrote:
>
> I ve got vsftpd running on a local machine. Still the problem in
> connection to ANOTHER FTP outside! Win7 is connecting, but Suse…)
>
> Here is what Ive got:
>
> Code:
> --------------------
>
> unknown:/home/noway # iptables-save
> # Generated by iptables-save v1.4.4 on Mon Mar 1 19:06:07 2010
> *raw
> :PREROUTING ACCEPT [10334:10624162]
> :OUTPUT ACCEPT [8748:1055476]
> -A PREROUTING -i lo -j NOTRACK
> -A OUTPUT -o lo -j NOTRACK
> COMMIT
> # Completed on Mon Mar 1 19:06:07 2010
> # Generated by iptables-save v1.4.4 on Mon Mar 1 19:06:07 2010
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT ACCEPT [5:200]
> :forward_ext - [0:0]
> :input_ext - [0:0]
> :reject_func - [0:0]
> -A INPUT -i lo -j ACCEPT
> -A INPUT -m state --state ESTABLISHED -j ACCEPT
> -A INPUT -p icmp -m state --state RELATED -j ACCEPT
> -A INPUT -i eth0 -j input_ext
> -A INPUT -i wlan0 -j input_ext
> -A INPUT -i wmaster0 -j input_ext
> -A INPUT -j input_ext
> -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
> -A INPUT -j DROP
> -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
> -A OUTPUT -o lo -j ACCEPT
> -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
> -A input_ext -m pkttype --pkt-type broadcast -j DROP
> -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
> -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A input_ext -p tcp -m state --state RELATED -j ACCEPT
> -A input_ext -p tcp -j ACCEPT
> -A input_ext -p udp -j ACCEPT
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 19176 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
> -A input_ext -p tcp -m tcp --dport 19176 -j ACCEPT
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 9176 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
> -A input_ext -p tcp -m tcp --dport 9176 -j ACCEPT
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 21 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
> -A input_ext -p tcp -m tcp --dport 21 -j ACCEPT
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 30000:30100 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
> -A input_ext -p tcp -m tcp --dport 30000:30100 -j ACCEPT
> -A input_ext -p udp -m udp --dport 19176 -j ACCEPT
> -A input_ext -p udp -m udp --dport 9176 -j ACCEPT
> -A input_ext -m pkttype --pkt-type multicast -j DROP
> -A input_ext -m pkttype --pkt-type broadcast -j DROP
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
> -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
> -A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
> -A input_ext -j DROP
> -A reject_func -p tcp -j REJECT --reject-with tcp-reset
> -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
> -A reject_func -j REJECT --reject-with icmp-proto-unreachable
> COMMIT
> # Completed on Mon Mar 1 19:06:07 2010
>
>
> --------------------
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLi+91AAoJEF+XTK08PnB5vp0P/2PjxitKTCm7lOYSPnTr9qiw
meqQIR4EW3Y2lHrucSNWuvfA5cpcZnhNaarkiKO9fB/OGRV16IJDbYObGeknw+1L
JQUr03VHXSSlNk86wiD6fEZ3Ug/VHBHHP14PzLIjx/F9SMG+w4lDoTPepHjt3fag
IN5XZ7Muyn5jt4NysJE7LqPJ7QHN66n2KISUb2lnuKII+xBy+5rVs8TQbPQ//RRI
dfEX6dvxczqEBwOEpA/mSqWFMeSAT8v2f/mhTu4QQBvbsE1kD21gWaD/htqDczbD
4o0kP3GTgkwb8oc4iTY4MxjqOzPJwkmiedrCsBOnm95fsvkj36i5Ftwc/cGxmJW7
jAiYDm9MuaooRvWd7xca2Fz5BR2RQVsiRTyv3sK5rTy5McuGdhPzD3FZ3AnfT8KA
CCdIH8sXWsfUPyFRsWPwvEYTvvdSY4wcZ6odKAjJr4uKS58+NCbz4Z0NdPnkLE3j
thsOCFOpsrkXhPNFNFAaIGq8dSTBjXTAWTvAFups/RfL5UaSjT8d2CGjnOAkgNGW
4d91c9StGqn2zNshZdKNjl272UCIxj7YJgTJrHk0THMt6AiW3Y7wX1Qn9KXzlvPc
t0uQRdP06xTAuBw9zi+TNZAPMDro3a0/fHnMBEmRtjQy8idlitdGZNmdesl0Wumj
4YRswKT+Kg0F5Br30qRl
=fByj
-----END PGP SIGNATURE-----

Yep! From windows using FileZilla and even with passive mode set, FTP connects to the same server outside, as Suse does not. On suse tried also Krusader and FileZilla.

Server, to which I connect is on debian and configured properly.
Any ideas?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Get a LAN trace from one of the sides, then compress and post it here;
only transfer a small file, please:

sudo /usr/sbin/tcpdump -s 0 -w /tmp/cap0.cap

Good luck.

On 03/01/2010 10:56 AM, no-way wrote:
>
> Yep! From windows using FileZilla and even with passive mode set, FTP
> connects to the same server outside, as Suse does not. On suse tried
> also Krusader and FileZilla.
>
> Server, to which I connect is on debian and configured properly.
> Any ideas?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLjAPNAAoJEF+XTK08PnB5bqUQANYD6pMRD0+wuJACBx8mlZI6
gPTf1keyivXpNokmPBn+K1++aTDhb+pcqU+PkBq2oVjYwDCId98nhmyb+1vn/bgS
2QHXUgli9eaaDaXkHErpiT/3NcGDYizutUYrcLhPs+DH28EdCv+9UfSwospUTjtw
OKj6WwsWZ+aA/SfkoXfoJodgulgT8N9KJ9OE6oiCJ2g7Zpu6C6uKiB3sCxBSXX/3
yV0CfQmCVrvVloH6voSWd3gFLV/7yGzyysEH+75QU+2CImPORmb+Ncr5Z6J6p7I4
fnDq6/eL4rV4vS7GXMSbGE5d9FlelnDxzEqB4+y8OpSX7gEaVaygzHaG8CVSlkep
JP9Lll4QvmzW047eOCl2mHm27c/4gCONBus4EEMqXt3swedWR7x2HM1jwGX1SlYj
hST40HD4Z7d0RkiUBZSMxl0StJsF488/3vT9PK0umBlHvekEygnBq8/K0FinGBis
DJVy1qOpQnmrYngBWMkb9lnQRPVn4UgzylYxUCIhPTLBQTjRVp0zSe4q5Er2uNvo
pz9+ikuSgbG9sYfePVHNiBw93gRBYbndrNIdPxbScLlDd4+Gttn7ntj3jhkqglgm
uMQdSpp76BWKEUukOR6dPwTnrMe/CgAWOnk+0cqPw9ZS8mJlCHjU++YTOnJvv3nb
8l2c1llu3C1rqEgqwh5q
=0g/y
-----END PGP SIGNATURE-----

Really strange but it began working! Ive did no do anything. Thx for help!

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well I’m glad it’s working, but you may want to do a thorough once-over of
your network and server. This should (and does) work out of the box so
whatever was causing it may magically come back as quickly as it left.

Good luck.

On 03/01/2010 02:26 PM, no-way wrote:
>
> Really strange but it began working! Ive did no do anything. Thx for
> help!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJLjMSRAAoJEF+XTK08PnB5da0P/0rf1CXP4nRXfqLD4d/d49dW
2sxo6mMVwu8PV4+PXO881YfNkUNsgxv0qhADGzF3JAZVwZ0Qs/8H4rIa9tID9Q9t
0i3TTyrXW3DuMaILxYpv74XRomY8ssvJbvqy5ecNZ8XhuSVshfhh2vY1UysByx6m
Ty1ZkJls7DwXSUqo2UofTvlafxJuyo9xHtHmnU6XBFFdS1zolSVAqfJx0uCbmWm3
Y6iwwEirDenhuSnOxCh2jmk+gfosW+y13Vi44iH4OptOtjtElSppspF7oqPqamJ6
glByNJbLuzdBlRSe3zo7EKdr+Z9lv03P2zV/6Au4ELovHRrZTxHUfZg0Db5O4OrQ
h9HY1aR/eyMLb2JDIt3PdqF/663x/uRAU86NA2pmmR6cLD35EhZ9iecgsfZDJrT7
9zLGN9stgQhnDSfQy2T6VtdAObl04eI1/WVXtLUom6lHY7KMkSPIqHbFSDgbshye
MXZ5j4dMOOJ4rzyRtQxPfALkc+o/qFIVQggDQxmvJ/1KV5hv8lHBz2CS76h25C8u
iuIeCthnE3OL3GL4ETnMtEjpPqXqcZNLzRXnw15u4VgzyjvXW3nMOXBL1D4BpVHh
ou7AZ6cwUYaOi8EXZyTpEy7GcqoMABew7cy1qdkhCCZitdPv5s1qUKvjPI/PsgOx
3uVfv5jyTKs3cA5lPh8X
=turQ
-----END PGP SIGNATURE-----