OpenSuse blocking filezilla

thatblokefromstoke · April 26, 2011, 2:38pm

Has anyone had any problems with Filezilla in OpenSuse?

I obviously a noob to Suse but after installing 11.4, and filezilla, i cant connect to my ftp server.
Ive opened ports 21 22 and 990 explicitly in the firewall and all I get is a 425 error Cant Retrieve Directory Listing. It logs me in ok but doesnt allow data connections?

Have I missed something fundamental during the installation of suse? Ive been on this for two days now.
Any help much apreciated.
Thanks

dragonbite · April 26, 2011, 3:02pm

What about Port 47?

So you are getting connected, but cannot navigate the directory and you could with what before (Windows? previous openSUSE?).

I don’t know if samba-client is required in this situation. I know when I am looking at my file server, before I install samba-client I get no connection or blank listing of contents. It may be a long shot in this case, though.

isemionov · April 26, 2011, 4:41pm

What FTP server you’re using?
Did you configured it with Yast?
Did you try passive mode?

user · April 26, 2011, 5:34pm

On 26/04/11 15:06, thatblokefromstoke wrote:
>
> Has anyone had any problems with Filezilla in OpenSuse?
>
> I obviously a noob to Suse but after installing 11.4, and filezilla, i
> cant connect to my ftp server.
> Ive opened ports 21 22 and 990 explicitly in the firewall and all I get
> is a 425 error Cant Retrieve Directory Listing. It logs me in ok but
> doesnt allow data connections?
>
> Have I missed something fundamental during the installation of suse?
> Ive been on this for two days now.
> Any help much apreciated.
> Thanks
>
>

check filezilla log file. Bear on mind that latest filezilla versions
use the MLST and MLSD as default for directory listing. There are some
proxy/ftp servers that do not understand this commands hence the error
as filezilla is not falling back to the standard LIST command. There are
a lot of discussions about that on the filezilla forums to at least
allow to configure the command or fail back to the LIST if MLST and MLSD
fail.

gonzalo

ken_yap · April 26, 2011, 6:04pm

Not being able to open a data connection while the firewall is active is typical of no connection tracking for FTP because the firewall has to parse the command stream to know the port to open dynamically for the data connection. Make sure you have loaded the iptables module nf_conntrack_ftp.

thatblokefromstoke · April 27, 2011, 4:15pm

Hi thanks for the quick reply, The remote ftp server is Windows NT in active mode only.
Ive tried different configs with the suse firewall (in Yast) but i have no clue what the right settings should be,
Passive mode isnt supported on the ftp server

Ive narrowed this down the the suse firewall but i dont know the correct settings

thatblokefromstoke · April 27, 2011, 4:19pm

are iptables custom rules for the firewall? if so can this be done in yast instead?
Thanks

thatblokefromstoke · April 27, 2011, 4:21pm

\dragonbite
hi i already see the samba server and client in the allowed services list so im assuming that its already enabled/installed
Thanks

ken_yap · April 27, 2011, 4:46pm

I don’t use SuSEfirewall2, at least not on machines that offer FTP, so I don’t know. I suspect that using the YaST config tool for FTP service might handle this. You should look into that.

thatblokefromstoke · April 27, 2011, 4:52pm

how do i load the iptables module?
Thanks

robin_listas · April 27, 2011, 9:50pm

On 2011-04-27 16:36, thatblokefromstoke wrote:

> are iptables custom rules for the firewall? if so can this be done in
> yast instead?

It meant in susefirewall opening ftp and ftp-data, IIRC.

But it perhaps it simply needs adjusting “FW_LOAD_MODULES” or
“FW_SERVICES_ACCEPT_RELATED_EXT”.

Run “lsmod | grep trac”, you should see nf_conntrack and another for ipv4 & 6.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

isemionov · April 28, 2011, 8:15am

then try:

disable firewall in openSUSE machine at all
ensure that between openSUSE and FTP server there is no any other firewall for example on the router(or on windows machine too, i.e. disable windows firewall)
try an ftp client locally on ftp server (windows) if it doesn’t work the something is wrong with ftp server
try to make an ftp connection with other client than filezilla for example with simple ftp command from command line.

If it will work from command line from openSUSE machine then something is wrong with filezilla.

thatblokefromstoke · April 28, 2011, 11:11am

Hi Ive disabled the firewall and i can access the FTP server remotely with filezilla, i dont have local access as its part of my web hosting. I think i just need to correctly allow ftp through the firewall, preferably through yast, (because im a noob). The problem is that i dont see anything to do with FTp in the allowed services dropdown list?

ken_yap · April 28, 2011, 11:18am

Did you install the package for configuring FTP via YaST, yast2-ftp-server?

thatblokefromstoke · April 28, 2011, 11:19am

Hi - Ive run lsmod and can see nothing to do with nf_conntrack or the ipv4/6,
I just get a list of hardware, grep trac does nothing from my terminal, ive tried them as separate commands and together.

“But it perhaps it simply needs adjusting “FW_LOAD_MODULES” or
“FW_SERVICES_ACCEPT_RELATED_EXT”.”---------------------------------this means absolutely nothing to me, is this to be inoutted in the terminal, and if so , with what parameters?
Thanks for your help

thatblokefromstoke · April 28, 2011, 11:23am

Hi, no i didnt think that i needed to as the server is remote not local, do i still need this package?

ken_yap · April 28, 2011, 12:04pm

You can still use YaST remotely with the ncurses interface. That module should know about inserting the right firewall rules, since you’re not up to editing the firewall rules yourself.

robin_listas · April 28, 2011, 1:03pm

On 2011-04-28 12:06, ken yap wrote:
> You can still use YaST remotely with the ncurses interface.

It is a remote windows server serving ftp active mode.
YaST ftp server module will not help at all on the client machine.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

ken_yap · April 28, 2011, 1:09pm

Ah ok I missed that. Get rid of that stupid FTP server software and find something better if it can’t handle passive mode clients. It’s very problematic to clients to use active mode. An active mode client has to allow connections inwards on arbitrary ports. As you can imagine this gives security people the shudders.

Forget about nf_conntrack_ftp then. That’s meant for Linux FTP servers behind a Linux iptables firewall to allow them to handle passive mode clients.

ken_yap · April 28, 2011, 1:20pm

Here’s a brief explanation of how active and passive mode work. These are the conversations on the control connection:

Active mode:

C: Hello, I’m user/password and I want active mode
S: Welcome, please tell me what data port you are listening on
C: The port is P
S: Makes a data connection to C at port P

In active mode, the client has to allow incoming access on port P. This is already an issue and even more so if C is behind a separate router/firewall.

Passive mode:

C: Hello, I’m user/password and I want passive mode
S: Welcome, I am listening for data on port P
C: Makes a data connection to S at port P

So in passive mode, the conntrack module watches the data connection and allows access through the firewall for C on port P.

This is actually simplified. The port negotiations are actually done for every file transfer. Directory listings are not file transfers, the information is sent on the control connection. So the typical symptom of data port problems is that you can list the directory but not fetch or send files.