OpenSuse blocking filezilla

thatblokefromstoke · April 28, 2011, 1:35pm

ken_yap:

Here’s a brief explanation of how active and passive mode work. These are the conversations on the control connection:

Active mode:

C: Hello, I’m user/password and I want active mode
S: Welcome, please tell me what data port you are listening on
C: The port is P
S: Makes a data connection to C at port P

In active mode, the client has to allow incoming access on port P. This is already an issue and even more so if C is behind a separate router/firewall.

Passive mode:

C: Hello, I’m user/password and I want passive mode
S: Welcome, I am listening for data on port P
C: Makes a data connection to S at port P

So in passive mode, the conntrack module watches the data connection and allows access through the firewall for C on port P.

This is actually simplified. The port negotiations are actually done for every file transfer. Directory listings are not file transfers, the information is sent on the control connection. So the typical symptom of data port problems is that you can list the directory but not fetch or send files.

Thanks ken_yap, thats given me a much better understanding of the two different modes, but since disabling my local firewall removes the problem, im certain i just need to apply the correct rule to allow ftp connections IN to filezilla. I have full access to the local machine so cant i just add a custom rule in the yast firewall?
the remote host is a shared web hosting enviromnent using 1 ip for upto 10 sites, including ftp and mail for each site.

or can i set up a vpn or similar to allow everything from the remote ip? would this be safe? (im assuming not)

Thanks again

robin_listas · April 28, 2011, 1:20pm

On 2011-04-28 11:36, thatblokefromstoke wrote:

>> Run “lsmod | grep trac”, you should see nf_conntrack and another for
>> ipv4 & 6.
>
> Hi - Ive run lsmod and can see nothing to do with nf_conntrack or the
> ipv4/6,
> I just get a list of hardware, grep trac does nothing from my terminal,
> ive tried them as separate commands and together.

It is “lsmod | grep trac”, and there is a vertical bar in the middle you
have to type as well. That’s a pipe.

> “But it perhaps it simply needs adjusting “FW_LOAD_MODULES” or
> “FW_SERVICES_ACCEPT_RELATED_EXT”.”---------------------------------this
> means absolutely nothing to me, is this to be inoutted in the terminal,
> and if so , with what parameters?

You have to edit the firewall configuration, file
/etc/sysconfig/SuSEfirewall. It is a text file full of comments that
explain it all.

I think what you need is:

FW_LOAD_MODULES=“nf_conntrack”

but you may also need FW_SERVICES_ACCEPT_RELATED_EXT, and here I don’t know
what you should put. The syntax is like this:

FW_SERVICES_ACCEPT_RELATED_EXT=“0/0,tcp,20000:21000”

but the range depends on the server, IIRC.

The problem started with a change documented here:
http://www.suse.com/relnotes/i386/openSUSE/11.0/RELEASE-NOTES.en.html#10

From the wikipedia:

http://en.wikipedia.org/wiki/Ftp

+++················
FTP can be run in active or passive mode, which determine how the data
connection is established. In active mode, the client sends the server the
IP address and port number on which the client will listen, and the server
initiates the TCP connection. In situations where the client is behind a
firewall and unable to accept incoming TCP connections, passive mode may be
used. In this mode the client sends a PASV command to the server and
receives an IP address and port number in return. The client uses these to
open the data connection to the server.[3] Both modes were updated in
September 1998 to add support for IPv6. Other changes were made to passive
mode at that time, making it extended passive mode.[5]
················+±

Active mode is easy to configure on the server firewall, difficult on the
client - as you are experiencing.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

dragonbite · April 28, 2011, 4:07pm

You had mentioned previously about ports 20 and 21, but did you ever look at port 47?

ken_yap · April 28, 2011, 4:13pm

The problem is that since the client software could choose any port, you potentially have to allow any incoming port. There maybe some way in filezilla client to narrow the range of ports chosen. But as mentioned active mode is also problematic for users who are behind NAT routers.

If possible you should not even use FTP but SFTP (over ssh) or FTPS because passwords go in plaintext over FTP.

If you are looking for a server to run under Windows, the filezilla project has one.

isemionov · April 28, 2011, 9:03pm

Hello, then yes. But as the data port is random the only one simple possibility with Yast firewall module I know, is to allow to all incoming tcp traffic from that FTP server. This can be done in custom rules section (you add the ip of ftp server without indicating sourse and destination port)

isemionov · April 28, 2011, 9:44pm

here is an example:
let’s suppose that ip address of ftp server is 192.168.1.56. The next rule will allow all tcp traffic from FTP server’s ip address, so you should trust this ip in this case.
https://lh6.googleusercontent.com/_9oMjyDFlkqc/Tbm_hvnmpWI/AAAAAAAAABc/e2ZVgTAJrok/openSUSEFirewall3.jpeg

Or you can only open for this ip ports > 1023 (which are used for data connection):https://lh4.googleusercontent.com/_9oMjyDFlkqc/TbnDUoMoxsI/AAAAAAAAABk/TubMBmwEAOM/openSUSEFirewall4.jpeg

Custom Rules
Here you can set special firewall rules that allow new connections matching these rules.
Source Network
Network or IP where the connection comes from, e.g., 192.168.0.1 or 192.168.0.0/255.255.255.0 or 192.168.0.0/24 or 0/0 (which means all).
Protocol
Protocol used by that packet. Special protocol RPC is used for RPC services.
Destination Port
Port name, port number or range of ports that are allowed to be accessed, e.g., smtp or 25 or 100:110. In case of RPC protocol, use the RPC service name. This entry is optional.
Source Port
Port name, port number or range of ports where the packet originates from. This entry is optional.

robin_listas · April 29, 2011, 10:50am

On 2011-04-28 13:36, thatblokefromstoke wrote:
> Thanks ken_yap, thats given me a much better understanding of the two
> different modes, but since disabling my local firewall removes the
> problem, im certain i just need to apply the correct rule to allow ftp
> connections IN to filezilla. I have full access to the local machine so
> cant i just add a custom rule in the yast firewall?

I have to try ftp from another linux machine to this one, in passive mode.
I’ll see if it works and what to open. I can’t do that just now, but I
think it should just work. I’ll try tomorrow if I can.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

isemionov · April 29, 2011, 12:29pm

Hello, Carlos,

as I understood he need viceversa, i.e. to work only in active mode as FTP server do not allow passive mode. and in this case he needs to open on his local machine only for FTP server’s IP tcp ports bigger than 1023. This can be done with a custom rule in Yast firewall, I gave an example and by the way source port can be also indicated - 20.

robin_listas · May 1, 2011, 5:38am

On 2011-04-29 10:50, Carlos E. R. wrote:

> I have to try ftp from another linux machine to this one, in passive mode.
> I’ll see if it works and what to open. I can’t do that just now, but I
> think it should just work. I’ll try tomorrow if I can.

I could not connect. I asked on the mail list, and got a hint (Per Jessen)
that worked, partially, after several tests between two linux machines (local).

I changed these two entries on both client and server machines:

FW_SERVICES_ACCEPT_RELATED_EXT=“192.168.1.0/24,udp,137
192.168.1.0/24,tcp,ftp 192.168.1.0/24,tcp,ftp-data”

FW_LOAD_MODULES=“nf_conntrack_netbios_ns nf_conntrack_ftp”

With that, I could connect in passive mode, but not in extended passive
mode. Active mode I could not test, the client I used doesn’t has the
option or I did not find it.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

robin_listas · May 1, 2011, 5:40am

On 2011-04-28 13:36, thatblokefromstoke wrote:
> or can i set up a vpn or similar to allow everything from the remote
> ip? would this be safe? (im assuming not)

Do you have ssh? Then you also have sftp. That would be the best thing.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

thatblokefromstoke · May 3, 2011, 9:14am

Thanks for all your help guys, Ive managed to add the custom rule in yast and it seems to be working fine now (if not a little slow).
As Im stuck with the FTP server for now, ill have to keep using active mode but il be switching providers as soon as i find a better one.

You’ve all been a great help with easing me into Linux.
Much apreciated

robin_listas · May 5, 2011, 1:20am

On 2011-05-01 05:38, Carlos E. R. wrote:

I changed this:


FW_SERVICES_ACCEPT_RELATED_EXT="192.168.X.0/24,udp,137  \
192.168.X.0/24,tcp,ftp  192.168.X.0/24,tcp,ftp-data"

#Server:
FW_TRUSTED_NETS="192.168.X.Y,tcp,ftp    192.168.X.Y,tcp,ftp-data
192.168.X.Y,tcp,30000:30100"

#Client
FW_TRUSTED_NETS="192.168.X.Y,tcp,ftp    192.168.X.Y,tcp,ftp-data"


FW_LOAD_MODULES="nf_conntrack_netbios_ns  nf_conntrack_ftp"

With that it works in both passive and extended modes. I could not try
active mode, the client I used doesn’t seem to have that mode.

My guess is that for active mode, if the conntrack module does not work, it
would by adding a bunch of ports (30000:30100) on the client side, provided
you can configure the client to only use those.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)