how to set ports for ip_conntrack_ftp

how to set ports for ip_conntrack_ftp

[Jonas Meurer]

Hello,

where can i set the ports for ip_conntrack_ftp?

if i load it as module, i can use
'modprobe ip_conntrack_ftp ports=21,31,41'

but if the module is compiled into the kernel, i have no idea how to set
the ports. i didn't find anything in either /proc or
kernel-source/Documentation.

the server is running linux kernel 2.4.27.

...
 jonas

Re: how to set ports for ip_conntrack_ftp

['Jonas Meurer']

On 31/08/2006 Rob Sterenborg wrote:
> > where can i set the ports for ip_conntrack_ftp?
> > 
> > if i load it as module, i can use
> > 'modprobe ip_conntrack_ftp ports=21,31,41'
> > 
> > but if the module is compiled into the kernel, i have no idea how to
> > set the ports. i didn't find anything in either /proc or
> > kernel-source/Documentation. 
> 
> AFAIK you can't: you can only do that when it's compiled as a module.

in other words, this module is unusable for ftpservers on non-standard
ports, if it's compiled into the kernel?

what reason does this have?

i run several zope instances on a server, all of them providing a
ftpserver.

i use firehol as firewall software.

how can i open the ports for those ftp-servers without using
ip_conntrack_ftp?

what i'm currently doing is:

iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
	-m multiport -p tcp --dports 9621,9721 \
	-d **.**.***.**/31 -j ACCEPT

iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
	-m multiport -p tcp --sports 9621,9721 \
	-d **.**.***.**/31 -j ACCEPT

iptables -A OUTPUT -o eth0 -m state --state NEW \
	-m multiport -p tcp --sports 9620,9720 \
	-d **.**.***.**/31 -j ACCEPT

but obviously this doesn't work. i still cannot connect to the
ftpservers on port 9621 and 9721. what am i missing?

...
 jonas

RE: how to set ports for ip_conntrack_ftp

[Rob Sterenborg]

netfilter-bounces@lists.netfilter.org <> wrote:
> On 31/08/2006 Rob Sterenborg wrote:
>>> where can i set the ports for ip_conntrack_ftp?
>>> 
>>> if i load it as module, i can use
>>> 'modprobe ip_conntrack_ftp ports=21,31,41'
>>> 
>>> but if the module is compiled into the kernel, i have no idea how to
>>> set the ports. i didn't find anything in either /proc or
>>> kernel-source/Documentation.
>> 
>> AFAIK you can't: you can only do that when it's compiled as a module.
> 
> in other words, this module is unusable for ftpservers on non-standard
> ports, if it's compiled into the kernel?

Ah, well, you could try by passing the paramters to the kernel at
boot-time (lilo/grub). maybe that would work.


Gr,
Rob

Re: how to set ports for ip_conntrack_ftp

[Pascal Hambourg]

Hello,

'Jonas Meurer' a écrit :
> 
> in other words, this module is unusable for ftpservers on non-standard
> ports, if it's compiled into the kernel?

Well, I guess you can edit the default port list in the kernel source 
before compiling.

> how can i open the ports for those ftp-servers without using
> ip_conntrack_ftp?

There is a workaround, which requires that the FTP server software be 
"cooperative". For instance, it must be able to set a range of local 
ports to use for data transfer connections in passive mode.

> what i'm currently doing is:
> 
> iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
> 	-m multiport -p tcp --dports 9621,9721 \
> 	-d **.**.***.**/31 -j ACCEPT
> 
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
> 	-m multiport -p tcp --sports 9621,9721 \
> 	-d **.**.***.**/31 -j ACCEPT
> 
> iptables -A OUTPUT -o eth0 -m state --state NEW \
> 	-m multiport -p tcp --sports 9620,9720 \
> 	-d **.**.***.**/31 -j ACCEPT

What do the "-d **.**.***.**/31" address ranges represent ?

> but obviously this doesn't work. i still cannot connect to the
> ftpservers on port 9621 and 9721. what am i missing?

The first two rules may allow to establish an incoming control 
connection, although the RELATED state is not needed. But the third rule 
is not sufficient to allow the server to establish an outgoing data 
connection in active mode. You need to add the ESTABLISHED state to 
allow outgoing packets once the connection is established. You also need 
to create another rule in the INPUT chain as its counterpart for the 
return traffic, in the ESTABLISHED state.

Re: how to set ports for ip_conntrack_ftp

[Damjan]

> where can i set the ports for ip_conntrack_ftp?
> 
> if i load it as module, i can use
> 'modprobe ip_conntrack_ftp ports=21,31,41'
> 
> but if the module is compiled into the kernel, i have no idea how to set
> the ports. i didn't find anything in either /proc or
> kernel-source/Documentation.
> 
> the server is running linux kernel 2.4.27.

Hmm, I don't know about 2.4.x kernels but in 2.6.x you can always set
parameters to integrated modules on the kernel comand line.

In your case it would be:
 ip_conntrack_ftp.ports=21,31,41


-- 
damjan | дамјан
This is my jabber ID -->         damjan@bagra.net.mk 
 -- not my mail address, it's a Jabber ID --^ :)

Re: how to set ports for ip_conntrack_ftp

[Jonas Meurer]

On 31/08/2006 Damjan wrote:
> > where can i set the ports for ip_conntrack_ftp?
> > 
> > if i load it as module, i can use
> > 'modprobe ip_conntrack_ftp ports=21,31,41'
> > 
> > but if the module is compiled into the kernel, i have no idea how to set
> > the ports. i didn't find anything in either /proc or
> > kernel-source/Documentation.
> > 
> > the server is running linux kernel 2.4.27.
> 
> Hmm, I don't know about 2.4.x kernels but in 2.6.x you can always set
> parameters to integrated modules on the kernel comand line.
> 
> In your case it would be:
>  ip_conntrack_ftp.ports=21,31,41

how can i use this kernel command line?
do you mean sysctl?

...
 jonas

Re: how to set ports for ip_conntrack_ftp

[Jonas Meurer]

On 31/08/2006 Pascal Hambourg wrote:
> >in other words, this module is unusable for ftpservers on non-standard
> >ports, if it's compiled into the kernel?
> 
> Well, I guess you can edit the default port list in the kernel source 
> before compiling.

no, i didn't find any way to do this.

> >how can i open the ports for those ftp-servers without using
> >ip_conntrack_ftp?
> 
> There is a workaround, which requires that the FTP server software be 
> "cooperative". For instance, it must be able to set a range of local 
> ports to use for data transfer connections in passive mode.

i don't know wether the zope ftp-servers support this.

> >iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
> >	-m multiport -p tcp --dports 9621,9721 \
> >	-d **.**.***.**/31 -j ACCEPT
> >
> >iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
> >	-m multiport -p tcp --sports 9621,9721 \
> >	-d **.**.***.**/31 -j ACCEPT
> >
> >iptables -A OUTPUT -o eth0 -m state --state NEW \
> >	-m multiport -p tcp --sports 9620,9720 \
> >	-d **.**.***.**/31 -j ACCEPT
> 
> What do the "-d **.**.***.**/31" address ranges represent ?

it is 62.75.128.98/31, which should be 62.75.128.98 and 62.75.128.99.

> >but obviously this doesn't work. i still cannot connect to the
> >ftpservers on port 9621 and 9721. what am i missing?
> 
> The first two rules may allow to establish an incoming control 
> connection, although the RELATED state is not needed. But the third rule 
> is not sufficient to allow the server to establish an outgoing data 
> connection in active mode. You need to add the ESTABLISHED state to 
> allow outgoing packets once the connection is established. You also need 
> to create another rule in the INPUT chain as its counterpart for the 
> return traffic, in the ESTABLISHED state.

how would this look like?

let's say, ftp-servers are on port 9621 and 9721. then i need to open
9620 and 9720 as well for ftp, correct?

so what i am missing here:
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
  -m multiport -p tcp --dports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
  -m multiport -p tcp --sports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
  -m multiport -p tcp --dports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESABLISHED \
  -m multiport -p tcp --sports 9620,9720 -d 62.75.128.98/31 -j ACCEPT


after using exactly these commands, i'm still not able to connect to the
ftp-servers.

if i try to login with lftp, it says [Connecting...], then
[FEAT negotation...] and then it hangs forever at
[Making data connection...].

ftp login from localhost works perfectly well, so the ftp-server is not
the problem here.

...
 jonas

Re: how to set ports for ip_conntrack_ftp

[Pascal Hambourg]

Jonas Meurer a écrit :
>>
>>What do the "-d **.**.***.**/31" address ranges represent ?
> 
> it is 62.75.128.98/31, which should be 62.75.128.98 and 62.75.128.99.

Actually I did not ask for their exact values but their meaning 
network-wise. Because usually, when there is "-d <range>" in an INPUT 
rule there is "-s <range>" in its OUTPUT counterpart or vice versa, but 
both your INPUT and OUTPUT rule contain the same "-d <range>". So I was 
wondering. Are these the client and server addresses ?

> let's say, ftp-servers are on port 9621 and 9721. then i need to open
> 9620 and 9720 as well for ftp, correct?

Yes. But I repeat that opening 9620 and 9720 is effective for active 
mode only. Passive mode won't work.

> so what i am missing here:
> iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
>   -m multiport -p tcp --dports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED,RELATED \
>   -m multiport -p tcp --sports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED,RELATED \
                                              ^^^
No need for NEW in this rule. This is return traffic.

>   -m multiport -p tcp --dports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state NEW,ESABLISHED \
                                        typo here  ^^^^
>   -m multiport -p tcp --sports 9620,9720 -d 62.75.128.98/31 -j ACCEPT

I repeat : you don't need all those RELATED here (but they don't harm).

> after using exactly these commands, i'm still not able to connect to the
> ftp-servers.
>
> if i try to login with lftp, it says [Connecting...], then
> [FEAT negotation...] and then it hangs forever at
> [Making data connection...].

This indicates that the control connection succeeds but the data 
connection fails. Maybe lftp uses passive mode for the data connections 
by default, then you have to disable it with "set ftp:passive-mode off" 
so lftp uses active mode instead. You can also use the "debug" command 
in lftp to get a more verbose output.

RE: how to set ports for ip_conntrack_ftp

[Rob Sterenborg]

>>> where can i set the ports for ip_conntrack_ftp?
>>> 
>>> if i load it as module, i can use
>>> 'modprobe ip_conntrack_ftp ports=21,31,41'
>>> 
>>> but if the module is compiled into the kernel, i have no idea how
>>> to set the ports. i didn't find anything in either /proc or
>>> kernel-source/Documentation. 
>>> 
>>> the server is running linux kernel 2.4.27.
>> 
>> Hmm, I don't know about 2.4.x kernels but in 2.6.x you can always set
>> parameters to integrated modules on the kernel comand line.
>> 
>> In your case it would be:
>>  ip_conntrack_ftp.ports=21,31,41
> 
> how can i use this kernel command line?
> do you mean sysctl?

No.
You should edit your lilo.conf or grub.conf for this and look for the
line that says where your kernel is (probably: /boot/...). Append
"ip_conntrack_ftp.ports=21,31,41" to it.
Then, reboot the server.


Gr,
Rob

RE: how to set ports for ip_conntrack_ftp

[Jan Engelhardt]

>>>> if i load it as module, i can use
>>>> 'modprobe ip_conntrack_ftp ports=21,31,41'
>>>> 
>>> AFAIK you can't: you can only do that when it's compiled as a module.
>> 
>> in other words, this module is unusable for ftpservers on non-standard
>> ports, if it's compiled into the kernel?
>
>Ah, well, you could try by passing the paramters to the kernel at
>boot-time (lilo/grub). maybe that would work.

The boot option is, IIRC, ip_conntrack_ftp.ports=21,31,41


Jan Engelhardt
-- 

Re: how to set ports for ip_conntrack_ftp

[Jonas Meurer]

On 01/09/2006 Pascal Hambourg wrote:
> Jonas Meurer a écrit :
> >>
> >>What do the "-d **.**.***.**/31" address ranges represent ?
> >
> >it is 62.75.128.98/31, which should be 62.75.128.98 and 62.75.128.99.
> 
> Actually I did not ask for their exact values but their meaning 
> network-wise. Because usually, when there is "-d <range>" in an INPUT 
> rule there is "-s <range>" in its OUTPUT counterpart or vice versa, but 
> both your INPUT and OUTPUT rule contain the same "-d <range>". So I was 
> wondering. Are these the client and server addresses ?

the ftp servers listen on both ips. so both are server addresses.

do you think that i should change the "-d ..." at -A OUTPUT to "-s ..."?

> >let's say, ftp-servers are on port 9621 and 9721. then i need to open
> >9620 and 9720 as well for ftp, correct?
> 
> Yes. But I repeat that opening 9620 and 9720 is effective for active 
> mode only. Passive mode won't work.

i would like to support both active and passive mode.

> >after using exactly these commands, i'm still not able to connect to the
> >ftp-servers.
> >
> >if i try to login with lftp, it says [Connecting...], then
> >[FEAT negotation...] and then it hangs forever at
> >[Making data connection...].
> 
> This indicates that the control connection succeeds but the data 
> connection fails. Maybe lftp uses passive mode for the data connections 
> by default, then you have to disable it with "set ftp:passive-mode off" 
> so lftp uses active mode instead. You can also use the "debug" command 
> in lftp to get a more verbose output.

even with "set ftp:passive-mode off" it doesn't work:

user@home~$ lftp user@62.75.128.98:9621
lftp user@62.75.128.98:/> debug

lftp user@62.75.128.98:/> set ftp:passive-mode on

lftp user@62.75.128.98:/> ls
---> PASV
<--- 227 Entering Passive Mode (62,75,128,98,180,236)
---- Connecting data socket to (62.75.128.98) port 46316
`ls' at 0 [Making data connection...]

lftp user@62.75.128.98:/> set ftp:passive-mode off

lftp user@62.75.128.98:/> ls

---- Connecting to 62.75.128.98 (62.75.128.98) port 9621
<--- 220 diana50 FTP server (Medusa Async V1.23 [experimental]) ready.
---> FEAT
<--- 530 Please log in with USER and PASS
---> AUTH TLS
<--- 500 'AUTH': command not understood.
---> USER user
<--- 331 Password required.
---> PASS XXXX
<--- 230 Login successful.
---> FEAT
<--- 211-Extensions supported:
<---  MDTM
<---  SIZE
<--- 211 END
---> PORT 192,168,3,34,197,115
<--- 200 PORT command successful.
---> LIST
<--- 150 Opening ASCII mode data connection for file list
<--- 426 Connection closed; transfer aborted
---- Closing data socket

any further suggestions?

...
 jonas

Re: how to set ports for ip_conntrack_ftp

[Jonas Meurer]

On 01/09/2006 Rob Sterenborg wrote:
> >>> the server is running linux kernel 2.4.27.
> >> 
> >> Hmm, I don't know about 2.4.x kernels but in 2.6.x you can always set
> >> parameters to integrated modules on the kernel comand line.
> >> 
> >> In your case it would be:
> >>  ip_conntrack_ftp.ports=21,31,41
> > 
> > how can i use this kernel command line?
> > do you mean sysctl?
> 
> No.
> You should edit your lilo.conf or grub.conf for this and look for the
> line that says where your kernel is (probably: /boot/...). Append
> "ip_conntrack_ftp.ports=21,31,41" to it.
> Then, reboot the server.

as it is a production server, reboot is very complicated.

there is absolutely no way to set the ports in a running system?

...
 jonas

RE: how to set ports for ip_conntrack_ftp

[Steffen Heil]

[-- Attachment #1: Type: text/plain, Size: 224 bytes --]

Hi
 
> as it is a production server, reboot is very complicated.
> there is absolutely no way to set the ports in a running system?

That's the point in have components as modules instead of in kernel...

Regards,
  Steffen

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 3055 bytes --]

Re: how to set ports for ip_conntrack_ftp

[Pascal Hambourg]

Jonas Meurer a écrit :
>>
>>>>What do the "-d **.**.***.**/31" address ranges represent ?
> 
> the ftp servers listen on both ips. so both are server addresses.
> 
> do you think that i should change the "-d ..." at -A OUTPUT to "-s ..."?

Obviously yes. I just wonder how these rules could accept the control 
connection, as they did not accept the return packets from the server.

[...]
> i would like to support both active and passive mode.

To allow active mode you'll have to perform two actions :

1) Look into your FTP server configuration for an option named "passive 
mode local port range" or the like. You must define a port range that is 
not likely to be used by other local processes (so for example don't 
overlap /proc/sys/net/ipv4/ip_local_port_range). The number of ports in 
the interval must be bigger enough than the expected maximum number of 
simultaneous data connections from FTP clients.

2) Set iptables rules in INPUT and OUTPUT which allow incoming TCP 
connections to the port range you defined in the previous step.

[...]
> user@home~$ lftp user@62.75.128.98:9621
> lftp user@62.75.128.98:/> debug
> 
> lftp user@62.75.128.98:/> set ftp:passive-mode on
> 
> lftp user@62.75.128.98:/> ls
> ---> PASV
> <--- 227 Entering Passive Mode (62,75,128,98,180,236)
> ---- Connecting data socket to (62.75.128.98) port 46316
> `ls' at 0 [Making data connection...]

I guess your ruleset does not allow incoming TCP connections to the port 
46316, so the data connection fails. Don't bother to allow this port, as 
it is dynamic and a different one is chosen by the server for each 
passive data connection.

> lftp user@62.75.128.98:/> set ftp:passive-mode off
> 
> lftp user@62.75.128.98:/> ls
[...]
> ---> PORT 192,168,3,34,197,115
> <--- 200 PORT command successful.
> ---> LIST
> <--- 150 Opening ASCII mode data connection for file list
> <--- 426 Connection closed; transfer aborted
> ---- Closing data socket

That's probably the effect of the -d option in the second OUTPUT rule. 
The server tries to open a data connection to the TCP port 50547 of 
192.168.3.34, but this destination address doesn't match the -d option. 
Try to change -d to -s. Check also that there is no packet filter on the 
client which may block FTP data connections.

RE: how to set ports for ip_conntrack_ftp

[Rob Sterenborg]

>> No.
>> You should edit your lilo.conf or grub.conf for this and look for the
>> line that says where your kernel is (probably: /boot/...). Append
>> "ip_conntrack_ftp.ports=21,31,41" to it.
>> Then, reboot the server.
> 
> as it is a production server, reboot is very complicated.

I already thought you were going to say this..

> there is absolutely no way to set the ports in a running system?

Not that I know of.


Gr,
Rob

Re: how to set ports for ip_conntrack_ftp

[Jonas Meurer]

On 02/09/2006 Pascal Hambourg wrote:
> >>>>What do the "-d **.**.***.**/31" address ranges represent ?
> >
> >the ftp servers listen on both ips. so both are server addresses.
> >
> >do you think that i should change the "-d ..." at -A OUTPUT to "-s ..."?
> 
> Obviously yes. I just wonder how these rules could accept the control 
> connection, as they did not accept the return packets from the server.

i guess that it was a typo in my previous mail. the rules on the server
used -s for -A OUTPUT  all the time.

> [...]
> >i would like to support both active and passive mode.
> 
> To allow active mode you'll have to perform two actions :
> 
> 1) Look into your FTP server configuration for an option named "passive 
> mode local port range" or the like. You must define a port range that is 
> not likely to be used by other local processes (so for example don't 
> overlap /proc/sys/net/ipv4/ip_local_port_range). The number of ports in 
> the interval must be bigger enough than the expected maximum number of 
> simultaneous data connections from FTP clients.

this is a big problem, as the ftp-server does not seem to support any
other configuration than ip and port to listen on. it's the internal
zope ftp-server (Medusa Async V1.23 [experimental]).

> 2) Set iptables rules in INPUT and OUTPUT which allow incoming TCP 
> connections to the port range you defined in the previous step.
> 
> [...]
> 
> I guess your ruleset does not allow incoming TCP connections to the port 
> 46316, so the data connection fails. Don't bother to allow this port, as 
> it is dynamic and a different one is chosen by the server for each 
> passive data connection.
> 
> [...]
> 
> That's probably the effect of the -d option in the second OUTPUT rule. 
> The server tries to open a data connection to the TCP port 50547 of 
> 192.168.3.34, but this destination address doesn't match the -d option. 
> Try to change -d to -s. Check also that there is no packet filter on the 
> client which may block FTP data connections.

now i used the following rules:
iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED \
  -m multiport -p tcp --dports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED \
  -m multiport -p tcp --sports 9621,9721 -s 62.75.128.98/31 -j ACCEPT
iptables -A INPUT -i eth0 -m state --state ESTABLISHED \
  -m multiport -p tcp --dports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED \
  -m multiport -p tcp --sports 9620,9720 -s 62.75.128.98/31 -j ACCEPT

unfortunately i still get the same result, both with passive and active
ftp.
i understand why passive ftp doesn't work, the ports are simply not open
for the passive connection. but why does active ftp still not work? i
tried from different servers without firewall and without a nat router,
so the client cannot be the problem at all.

do you have any further suggestions?

it would be great to get at least active ftp working.

...
 jonas

Re: how to set ports for ip_conntrack_ftp

[Pascal Hambourg]

Jonas Meurer a écrit :
>>
>>>i would like to support both active and passive mode.
>>
>>To allow active mode you'll have to perform two actions :
[...]

I meant "passive", of course.

> this is a big problem, as the ftp-server does not seem to support any
> other configuration than ip and port to listen on. it's the internal
> zope ftp-server (Medusa Async V1.23 [experimental]).

Well, so I'm afraid that you have to forget about passive mode, unless 
you allow incoming connections to the whole port range defined in 
/proc/sys/net/ipv4/ip_local_port_range. I guess it is not what you want.

> now i used the following rules:
> iptables -A INPUT -i eth0 -m state --state NEW,ESTABLISHED \
>   -m multiport -p tcp --dports 9621,9721 -d 62.75.128.98/31 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state ESTABLISHED \
>   -m multiport -p tcp --sports 9621,9721 -s 62.75.128.98/31 -j ACCEPT
> iptables -A INPUT -i eth0 -m state --state ESTABLISHED \
>   -m multiport -p tcp --dports 9620,9720 -d 62.75.128.98/31 -j ACCEPT
> iptables -A OUTPUT -o eth0 -m state --state NEW,ESTABLISHED \
>   -m multiport -p tcp --sports 9620,9720 -s 62.75.128.98/31 -j ACCEPT
> 
> unfortunately i still get the same result, both with passive and active
> ftp.
> i understand why passive ftp doesn't work, the ports are simply not open
> for the passive connection. but why does active ftp still not work? i
> tried from different servers without firewall and without a nat router,
> so the client cannot be the problem at all.
> 
> do you have any further suggestions?

Run a packet sniffer on the server, start a local FTP session in active 
mode, watch the traffic and check that the data connection uses port 
9620/9621 as expected.

Run a packet sniffer on both the client and the server and watch the FTP 
session.

If acceptable, try to allow by address any traffic between your client 
and the server.

I noticed that your client had a private IP address 192.168.x.x. Is 
there a NAT device between the client and the server ? If yes, is this 
NAT device aware that you do FTP on non standard ports ?

What is the delay between the two following lines during a LIST attempt 
in active mode :

> <--- 150 Opening ASCII mode data connection for file list
> <--- 426 Connection closed; transfer aborted

No delay ?
Some delay ?
Hang until you abort ?