Hello, I have a problem on my iptables / firewall. I have a FTP server running on my opensuse 12.1 server and it’s working if my firewall is off. After I turn it on, it blocks the FTP connections.
But I already have configuration about it and I accept TCP 21 ports. What do I do wrong? Here is the log when the firewall blocks FTP connections.
On 2012-09-22 17:56, DeepSecurity wrote:
>
> Hello, I have a problem on my iptables / firewall. I have a FTP server
> running on my opensuse 12.1 server and it’s working if my firewall is
> off. After I turn it on, it blocks the FTP connections.
> But I already have configuration about it and I accept TCP 21 ports.
> What do I do wrong? Here is the log when the firewall blocks FTP
> connections.
FTP usses two ports, one for control, another for data. The data connection can be initiated by
the server or by the client, and then the connection is called active or passive - I never
remember which is which, but you can read about it in the wikipedia.
FW_SERVICES_ACCEPT_RELATED_EXT=“ftp, ftp-data”
FW_SERVICES_EXT_TCP=“ftp, ftp-data”
FW_LOAD_MODULES=“nf_conntrack_ftp”
I don’t know if these are the minimal settings, but they seem to work for me.
–
Cheers / Saludos,
Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)
Both Carlos and hcvv are correct regarding how the firewall and FTP
work, but if this is really the current event from /var/log/firewall
when your connection is blocked then they are focusing on subsequent
potential issues as this appears to be blocking the start of the control
connection on port 21, not the data connection (for a transfer of data)
on another port. Post your NetFilter/firewall rules, the output from
the following command(s):
sudo /usr/sbin/iptables-save
sudo /usr/sbin/iptables -nvL
Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
Because the FTP protocol is one of those that requires separate connection and data ports, it can be complex to configure a FW properly.
This is generally why it’s a good idea to select an FTP Server app which for which the SUSE Firewall is “aware.” This generally means that if you install something like ProFTP (which I use), YAST will auto-detect the installed software and provide automatic FW configuration tightly integrating how both the App config file and FW config files are setup. This is especially useful if you configure PASV FTP.
In other words,
What FTP Server app are you running?
If the FTP app is supported by YAST, did you look for an FTP Server applet in YAST?
Bottom line, YAST will prevent plenty of User Config Errors, and even if you make special edits you should also try starting with what YAST can do for you.
Hello guys, thank you very much for your answers. Here are the steps I just followed:
I uninstalled FTP server and installed it again using YAST as tsu2 mentioned. SUSE firewall couldn’t configure it automatically that’s why I opened 20 and 21 ports on the firewall as hcvv wrote before.
I can connect the server now when the firewall is on or off but I am getting “530 login incorrect” error message. So it seems like I solved the firewall problem adding 21 (ftp-data) on the firewall but having authentication problem. I am using SASL authentication and have some virtual servers but no luck to login yet. It was working when firewall is off before I uninstalled FTP server…
Are you sure you looked for an FTP applet in YAST which should automagically appear after installing ProFTP? YOu should be able to do all basic application configurations including FW within that, not using the regular SUSE FW applet.
If it’s not working for ProFTP, recommend uninstalling and try PureFTP.
Hi tsu2, I have a minimal server installed. So I don’t have the graphic interface installed on it. When I go yast2 using terminal, I am sure that I can’t see the ProFTP option. Maybe it’s only possible to see that on the graphical interface? The weird thing is I’ve been using proftp for 2 years, never seen a problem like this before. I can pass the firewall with FTP but something is still wrong with authentication mechanism. I thing I should also try PureFTP :good: …
On the terminal you have the YaST ncurses interface and I am pretty sure that you have the System > System services (runlevel) there. There you will see pur-ftp in the list and you can switch it on there.
Or you can go to Network service > Network Service (xinetd) where you will find maybe even more then one ftp service (I have pure-ftpd and vsftpd in the list) of which you can switch on one and configure the details (like arguments to the call, allowed system, etc). Same as in the the YaST GUI interface.
> Hi tsu2, I have a minimal server installed. So I don’t have the graphic
> interface installed on it. When I go yast2 using terminal, I am sure
> that I can’t see the ProFTP option. Maybe it’s only possible to see that
> on the graphical interface? The weird thing is I’ve been using proftp
> for 2 years, never seen a problem like this before. I can pass the
> firewall with FTP but something is still wrong with authentication
> mechanism. I thing I should also try PureFTP :good: …
>
>
YaST2 - menu @ Telcontar
┌─────────────────────────────────────────────────────────────────────────┐
│ YaST2 Control Center │
└─────────────────────────────────────────────────────────────────────────┘
┌────────────────────┐ ┌──────────────────────────────────────────────────┐
│Software │ │DHCP Server ┬
│Hardware │ │DNS Server │
│System │ │FTP Server │
See the ftp server there?
–
Cheers / Saludos,
Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)
I doubt that SUSE Firewall is compatible with FTP at all. FTP dialogue certainly starts at PORTS 21/22 but then another port is opened. For a typical session I get
PORT command successful
Connecting to port 60999
I think this is “passive ftp” and that it is the client that opens port 60999 on the server, this must then be permitted by the Firewall
“In active mode, the client creates a TCP control connection to the server and sends the server the client’s IP address and an arbitrary client port number, and then waits until the server initiates the data connection over TCP to that client IP address and client port number.”
If the client has not a prohibiting firewall this works fine!
Further:
“In situations where the client is behind a firewall and unable to accept incoming TCP connections, passive mode may be used. In this mode, the client uses the control connection to send a PASV command to the server and then receives a server IP address and server port number from the server, which the client then uses to open a data connection from an arbitrary client port to the server IP address and server port number received.”
But for this it is not enough to have ports 20 and 21 open on the server
I just tried and in fact the system is clever enough to allow FTP with the Firewall running. Starting YaST , Selecting “Security and Users”/“Firewall”/“Allowed Services” and selecting “pureftp” (or what you are using) as “allowed” for both inner and outer zone it works. The firewall of the client must also be set to allow ftp what at least for MS Windows is the default setting. If one ticks “no exceptions allowed” for the security setting of MS Windows firewall ftp is no more possible.
But for sure, the file transfer is through other ports then 20 and 21
The proposals earlier given about changing FTP server is definitely off-point, it is all about forcing the firewall to allow the FTP transfers, all servers use the same (ftp) protocol.
Maybe the system is not that clever after all! My previous note was based on a test with one of my LINUX ftp server (with a YAST configured firewall running) conversing with an MS Windows computer as client. But when I tried precisely the same from a Linux computer (with firewall switched off!) as client I got the message
“Extended Passive mode OK (|||10862|)”
and the client was hanging. Switching off the firewall on the server => everything work fine!
Conclusion:
The Linux computer (as client) tells the server that passive mode should be used by sending the PASV command (although active mode would be fine, there is no firewall running on the client!)
The server advises the client to open a port (on the server) with a certain number
The firewall on the server then does not permit this port to be opened (although “pureftpd” has been specified as allowed service)
The firewall on the MS Windows computer must be more clever allowing active ftp with the server opening a client port. And the MS Windows system is using this fact, not commanding “passive mode” as the stupid Linux client-computer (with no running firewall!)
Second conclusion: firewalls causes more problems then what they help!
> The firewall on the MS Windows computer must be more clever allowing
> active ftp with the server opening a client port. And the MS Windows
> system is using this fact, not commanding “passive mode” as the stupid
> Linux client-computer (with no running firewall!)
You have to load the firewall module that tracks ftp connections.
–
Cheers / Saludos,
Carlos E. R.
(from 12.1 x86_64 “Asparagus” at Telcontar)
Thank you for all your replies and I am sorry my late answer I was away for a while.
First of all, robin_listas, I really don’t have FTP Server on my YAST panel. I am not familiar with yast and I think I am missing something. I attached a screenshot of my control panel on YAST for you. I think it will be easier if I can make the configuration on YAST.
Here is what I did recently: I uninstall the server and install it back again for a few times but no luck. Yesterday, I tried to download the latest ProFTP module and tried to install that but the server crashes at the middle of the installation without any reason. Well, I install ProFTP with YAST again to make it work at least when the firewall is off
Conclusion: I openned the ports 20 and 21 but it was still not working when the firewall is off. After some research on the ProFTP manual I also openned 40000 and 40999 for data communication. I can connect to the FTP when the firewall is on now. But there is still something wrong. I can only see the files, can’t go into a folder, the screen freezes then the server says “time out”.
Note: Everything is working fine if I turn the firewall off.
FTP server / service is up & running…