I need some help configuring my SuSE firewall2 for FTP usage currently I have a Firewall gateway combo…
For now if i try to connect to an ftp from the server all work but if I try to connect form a computer inside
the network it does not work … the client return with Can’t build data connection…
>>>
SFW2-INext-ACC-TRUST IN=eth0 OUT= MAC=00:02:55:7b:1c:9c:08:00:20:d2:51:e5:08:00 SRC=X.X.X.X DST=X.X.X.8 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=32495 DF PROTO=TCP SPT=20 DPT=2177 WINDOW=49640 RES=0x00 SYN URGP=0 OPT (020405B401010402)
<<<<
from this trace I can’t see why but from the internal interface I can connect but can’t list the directory…
I’m using SuSEfirewall2 version 3.6
thanks for your help
RD
You gave your SuSEfirewall2 version, but as that is only a script that creates the IP rules that are interpreted by the kerenel, the version of openSUSE is missing (it should allways be given).
Also I do not understand realy when you say " if i try to connect to an ftp from the server". In TCP/IP land you allways connect from the cclient to the server. That is so by definition. The FTP server is the system where the FTP deamon runs (listening on port 21 normaly) and the clients run the FTP programs seelng connection to that serving system.
Hi thanks for your response … I’m running OpenSuSE 11.4. What I meat to say was …since the server that I used as firewall is also a gateway for my internal network…If I try connecting outside from that server it all work great but if I use on of the computer from my internal network to an outside ftp server connection work but list directory failed…
is there any variable that I should pay attention to for this to work properly…
You mean that when you say server, you do not mean the FTP server, but some other system that you use as gateway/firewall between your LAN and the Internet?
Why not make a primitive drawing where you give the systems involved names (I guess they all have names, so that should not be that difficult I guess) and explain what task each of them has with respect to your problem. And then make statementss like: “when I ftp from systemA to SystemB …”, etc. Would make it probably easier for others to understand.
EXAMPLE (please other posters, this is by no way to show what the OP has, it is just to show what I mean):
---- FTPS
Internet ----- GF ----<
---- WS
GF: Gateway and Firewall
FTPS: FTP Server
WS: WorkStation with FTP client
/EXAMPLE
To recap, B1 is in this story only the firewall and gateway (you keep calling it sserver, but it eludes me why, it serves nithing in this story)
And in an earlier post you say you can connect, but then you can not do a dir listing. Can you transfer? And why do you not show your story. It sounds as if you use a normal FTP client from the command lin. What is easier then use your mouse and copy/paste that session from the ftp call until and including the error message in a post here so we can see?
And btw did you open port 21 (ftp) and port 20 (ftp-data) and both for UDP and TCP?
On 2012-06-08 22:46, ephlodur wrote:
>
> Thanks for your reply… there seem to be a problem with the NAT …
> I have try what you suggested …but that did not work
Post the exact error and the entries for the firewall of the affected
machines. “Does not work” does not help.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
the error I get from the FTP client is
“502 Illegal PORT command 425 Unable to build data connection: Connection refused”
and as for the firewall I don’t know which section you want me to upload?
On 2012-06-11 15:56, ephlodur wrote:
>
> Hello,
>
> the error I get from the FTP client is
> “502 Illegal PORT command 425 Unable to build data connection:
> Connection refused”
That’s not a firewall problem, that’s a problem between the client and the
server, so check the server logs.
> and as for the firewall I don’t know which section you want me to
> upload?
The lines where connections from the client are rejected, if they exist, in
client, server, and any intermediate gateway/firewall that may exist.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 2012-06-11 16:36, ephlodur wrote:
>
> Hi,
>
> as for the error the FTP client get is:
>>
>> 502 Illegal PORT command 425 Unable to build data connection:
>> Connection refused
>>
> as for the firewall you will need to tell me which section to think I
> should provide?
I already replied to this.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
from B1 if I connect to A1 there is no problem …
but from C1 the connection is ok but when I try to do an ls
I get 502 Illegal PORT command 425 Unable to build data connection:
there is no indication from the firewall that a connection is refuse but my reading
indicate that FTP and NAT is a bit of an issue…
On 2012-06-12 14:06, hcvv wrote:
>
>> It is not clear how C1 and C2 connect, or how C1 and A1 connect.
>>
> I interpreted the drawing as that B1, C1 and C2 are on the same LAN. B1
> is default gateway for C1 and C2 to the outside, where A1 resides.
That would be a graph of your description. And I understand there is no
other router machine to connect to internet (ADSL?), but that B1 connects
directly to it. Also the switch to the local net is missing, because it has
not been described.
Also missing is how the firewall in B2 is set: I would assume there is an
external interface and an internal, both set in the SuSEfirewal2. C1, C2
also probably have firewalls set up. Then, A1 is under his control or not?
I like graphs clear.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
You are correct, B1 (gateway) has 2 interfaces one connect to the internal network ( C1 and C2 ) and one connect to the external network (A1).
C1 and C2 uses NAT to connect to A1… As I mentioned before I’m not 100% sure that the problem is the ftp server as if I connect from B1 (gateway) to A1 (FTP server)
all is working OK but when i connect from C1 or C2 I get an error when doing an ls.
There is no entry in the firewall logs that says a connection was DROP but I do see the FTP server( A1) trying to establish a data connection back to the client (C1) this connection is been accepted by the firewall for now I’m not sure why is not routed back to client C1.
Ps: the client that I’m trying to connect to the external FTP server cannot be setup to change from active to passive mode or vice-versa.
On 2012-06-12 16:46, ephlodur wrote:
>
> You are correct, B1 (gateway) has 2 interfaces one connect to the
> internal network ( C1 and C2 ) and one connect to the external network
> (A1).
>
> C1 and C2 uses NAT to connect to A1… As I mentioned before I’m not
> 100% sure that the problem is the ftp server as if I connect from B1
> (gateway) to A1 (FTP server)
> all is working OK but when i connect from C1 or C2 I get an error when
> doing an ls.
The data connection.
> There is no entry in the firewall logs that says a connection was DROP
> but I do see the FTP server( A1) trying to establish a data connection
> back to the client (C1) this connection is been accepted by the firewall
> for now I’m not sure why is not routed back to client C1.
That’s active mode, which is problematic on the client side.
Notice that there are 3 firewalls that you have to look at; you are
probably looking at B1, but you also have to look at C1 & C2, and all need
connection tracking.
> Ps: the client that I’m trying to connect to the external FTP server
> cannot be setup to change from active to passive mode or vice-versa.
Change client, or change client.
You have to test with another client that allows choosing the method.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
ok