Firewall and a FTP server

Firewall and a FTP server

[TAC Forums]

Hi All,

We have a FTP server, (Red Hat Linux 7) behind a firewall, the
firewall allows only incomming and established connections on ports
20,21  from any where and evry where.

The Problem is, when the customers use FTP clients, the manage to
login , but cannot upload/download files if they use PASSIVE FTP
connections.

Can smeone suggest, how the best way to get out of this situation,
should we enable all ports above 1023?

Regards,
Boskey

--
TAC Support Team

Re: Firewall and a FTP server

[Askar Ali]

TAC Forums wrote:

>Hi All,
>
>We have a FTP server, (Red Hat Linux 7) behind a firewall, the
>  
>
why are you still using historic version of rh ? :)

>firewall allows only incomming and established connections on ports
>20,21  from any where and evry where.
>
>The Problem is, when the customers use FTP clients, the manage to
>login , but cannot upload/download files if they use PASSIVE FTP
>connections.
>
>Can smeone suggest, how the best way to get out of this situation,
>should we enable all ports above 1023?
>
>Regards,
>Boskey
>
>--
>TAC Support Team
>
>
>  
>
hi Tac

verify that modules

ip_conntrack_ftp
ip_nat_ftp

are loaded, if not try to load them with "modprobe ip_conntrack_ftp" and 
put it in your firewall startup script so that modules at boot time.




regards,

askar

RE: Firewall and a FTP server

[Derick Anderson]

 

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Askar Ali
> Sent: Monday, December 19, 2005 7:09 AM
> To: TAC Forums
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Firewall and a FTP server
> 
> TAC Forums wrote:
> 
> >Hi All,
> >
> >We have a FTP server, (Red Hat Linux 7) behind a firewall, the
> >  
> >
> why are you still using historic version of rh ? :)
> 
> >firewall allows only incomming and established connections on ports
> >20,21  from any where and evry where.
> >
> >The Problem is, when the customers use FTP clients, the 
> manage to login 
> >, but cannot upload/download files if they use PASSIVE FTP 
> connections.
> >
> >Can smeone suggest, how the best way to get out of this situation, 
> >should we enable all ports above 1023?
> >
> >Regards,
> >Boskey
> >
> >--
> >TAC Support Team
> >
> >
> >  
> >
> hi Tac
> 
> verify that modules
> 
> ip_conntrack_ftp
> ip_nat_ftp
> 
> are loaded, if not try to load them with "modprobe 
> ip_conntrack_ftp" and put it in your firewall startup script 
> so that modules at boot time.
> 
> 
> 
> 
> regards,
> 
> askar

If you don't have those modules in the kernel you will need to open up
NEW connections for the passive ports on your FTP server or recompile
your kernel. I've done the port-opening thing when recompiling the
kernel on a live firewall was more downtime than the PTB were willing to
accept.

Derick Anderson 

Re: Firewall and a FTP server (nfcan: addressed to exclusive sender for this address)

[Jim Laurino]

On 2005.12.19 06:52, TAC Forums - tac.forums@gmail.com wrote:
> Hi All,
> 
> We have a FTP server, (Red Hat Linux 7) behind a firewall, the
> firewall allows only incomming and established connections on ports
> 20,21  from any where and evry where.
> 
> The Problem is, when the customers use FTP clients, the manage to
> login , but cannot upload/download files if they use PASSIVE FTP
> connections.
> 
> Can smeone suggest, how the best way to get out of this situation,
> should we enable all ports above 1023?

Besides loading the modules, as already discussed,
you need to change the filter rules to allow
not only ESTABLISHED but also RELATED connections.
This eliminates the need to open all the high ports.
The new rule would look something like this:

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

-- 
Jim Laurino
nfcan.x.jimlaur@dfgh.net
Please reply to the list.
Only mail from the listserver reaches this address.

Re: Firewall and a FTP server

[Marcin Krol]

Hello TAC,

TF> We have a FTP server, (Red Hat Linux 7) behind a firewall, the
TF> firewall allows only incomming and established connections on ports
TF> 20,21  from any where and evry where.

TF> The Problem is, when the customers use FTP clients, the manage to
TF> login , but cannot upload/download files if they use PASSIVE FTP
TF> connections.

TF> Can smeone suggest, how the best way to get out of this situation,
TF> should we enable all ports above 1023?

If you use VSFTPD (recommended), there's a directive there that tells
the daemon to open a port from a selected range of ports - that should
be more secure.


-- 
Best regards,
 Marcin                            mailto:mark@wbp.krakow.pl

Re: Firewall and a FTP server

[ludi]

HI, I have the same problem. I have a  proftp and setup a script on
the server to start the IPTABLES. I had load the ip_conntrack_ftp .
But my client still can not connect to the ftp by "PASSIVE" mode.
Thx

Re: Firewall and a FTP server

[TAC Forums]

Hi Askar,

On 12/19/05, Askar Ali <askarali@gmail.com> wrote:
> TAC Forums wrote:
>
> >Hi All,
> >
> >We have a FTP server, (Red Hat Linux 7) behind a firewall, the
> >
> >
> why are you still using historic version of rh ? :)
>
Well, we are stuck with a Sun Cobalt Raq 550 server for our life!!

> >firewall allows only incomming and established connections on ports
> >20,21  from any where and evry where.
> >
> >The Problem is, when the customers use FTP clients, the manage to
> >login , but cannot upload/download files if they use PASSIVE FTP
> >connections.
> >
> >Can smeone suggest, how the best way to get out of this situation,
> >should we enable all ports above 1023?
> >
> >Regards,
> >Boskey
> >
> >--
> >TAC Support Team
> >
> >
> >
> >
> hi Tac
>
> verify that modules
>
> ip_conntrack_ftp
> ip_nat_ftp
>
> are loaded, if not try to load them with "modprobe ip_conntrack_ftp" and
> put it in your firewall startup script so that modules at boot time.
>
>
Thank you, ths is already done.
Regards,
Boskey
>
>
> regards,
>
> askar
>


--
TAC Support Team