What settings are needed in the firewall to allow ftp?

Schrod · May 17, 2014, 3:18pm

Hi Folks

I’ve recently brought my operating system up to date (openSUSE 13.1 x86_64) and I’m now having problems with the firewall. I use FileZilla to connect by ftp to my websites but the firewall is preventing the data transfer. It seems to work OK with the firewall off. What settings should I use in the firewall to allow ftp through? My computer is on a LAN and my websites are hosted professionally.

Thanks

Schrod

hendwolt · May 17, 2014, 4:47pm

You should configure your ftp client, to use “passive” ftp.
This way the client is creating all connections. It should work, if the firewall does not block any outgoing traffic.

Hendrik

Schrod · May 17, 2014, 9:35pm

FileZilla was configured to use passive and has been tried with active too but the data seems to be stuck behind the firewall. If I switch off the firewall, FileZilla will work in active but not reliably in passive. It logs in OK even with the firewall on but can’t usually get the directory listings let alone down/upload anything.

Still confused,

Schrod

robin_listas · May 17, 2014, 11:54pm

On 2014-05-17 21:36, Schrod wrote:
>
> FileZilla was configured to use passive and has been tried with active
> too but the data seems to be stuck behind the firewall. If I switch off
> the firewall, FileZilla will work in active but not reliably in passive.
> It logs in OK even with the firewall on but can’t usually get the
> directory listings let alone down/upload anything.

Passive mode is easy on the client firewall and difficult on the server
firewall.

Active mode is easy on the server firewall and difficult on the client
firewall.

If I got it right, I often confuse both.

Typical susefirewal settings are:


FW_SERVICES_EXT_TCP="ftp ftp-data"


FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp \
192.168.1.0/24,tcp,ftp-data"

FW_TRUSTED_NETS="192.168.1.14,tcp,ftp  \
192.168.1.45,tcp,ftp-data"

FW_LOAD_MODULES="nf_conntrack_ftp"

Try the last one first.

–
Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

tsu2 · May 20, 2014, 12:55am

Passive FTP?
How about PASV FTP instead?

Some fundamentals…
Unlike most other protocols, FTP requires a minimum 2 ports, the “Control” and the “Data”

Active FTP only requires the Firewall to open the two standard ports 21 and 20.
With PASV FTP, the same control port is uses by all clients, but each client uses a different data port. This is why PASV FTP can be difficult to setup through a FW, you either have to open a range that is always open or the FW has to be smart enough (aka “stateful inspection”) to open and close data ports as needed.

When you configure a FW like SUSE FW, you can define your FTP ports either as a configured “service” or manually open ports. When you manually open ports, the ports are always open. Although I haven’t checked, with IP Tables’ relatively recent announcement for support for stateful inspection I would expect that configuring the FTP service would open and close data ports as needed.

From the client side, some clients like web browsers typically (but not always) support both Active and PASV FTP… One would be tried and fallback to the other. Personally, I try to find out what is initially supported by default and don’t rely on a successful fallback.

Other clients can be explicitly configured to use either mode or only support one mode

HTH,
TSU