Firewall issues with setting up vsftp server

Terry Linhardt linhardt at swbell.net
Sat Dec 11 17:58:24 UTC 2004 

Jeff Kinz wrote:

>On Sat, Dec 11, 2004 at 11:07:40AM -0600, Terry Linhardt wrote:
>  
>
>>Jeff Kinz wrote:
>>    
>>
>>>On Sat, Dec 11, 2004 at 10:17:30AM -0600, Terry Linhardt wrote:
>>>      
>>>
>>>>I am attempting to set up an ftp server on an internal network. (All 
>>>>hosts are 192.168.1.*)  I am using vsftp, but stumbling over an iptables 
>>>>related issue.  Also, this is Fedora Core 3.
>>>>        
>>>>
>>>Whats the content of your iptables script, (Sanitize any important info
>>>please)
>>>
>>>      
>>>
>>Actually, the iptables are the defaults provided with FC3. I have used 
>>the GUI to "open" SSH and FTP. As noted in my original post, my problem 
>>disappears if I stop the iptables (/etc/rc.d/init.d/iptables stop)
>>    
>>
>
>I never use the GUI tools for iptables.  I build iptables setup scripts
>directly, using templates and macros that allow for some fairly fast and
>very fine grained control.
>
>What is the contents of your /etc/sysconfig/iptables file?
>  
>
>>>What is the shape/configuration of your Network?
>>>
>>>      
>>>
>>All machines are attached to a Linksys router within the same building. 
>>Some are wireless, but I don't think that is an issue.  All machines, 
>>including the server, are in the IP range of 192.168.1.X with a 
>>255.255.255.0 netmask. In short, *all* machines at this point are on a 
>>private network, on the same LAN.
>>    
>>
>
>I am assuming your internal LAN is not a "Hostile" environment. (If this
>isn't true, let us know)
>  
>
Correct, not hostile

>Since you don't mention any connection from this LAN to the Internet,
>you can just turn off the firewall.
>
>If you have an Internet connection:
>
>If your server has dual NICS, where one NIC is a gateway to the
>internet, just turn off the firewalling on the NIC which is connected
>to the internal LAN and leave it running on the NIC used for the
>external Internet connection.
>
>If you are using the Linksys router as your internet gateway, (And you
>actually trust it) turn off the firewall on your server completely.
>Since you trust the Linksys router (I wouldn't use personally, for other
>reasons), you don't necessarily need the additional firewall on your
>server.
>  
>
>>>Where is the delivery target in relation to your server?
>>> 
>>>      
>>>
>>If I understand your question, the physcial relationship is that they 
>>are in adjacent rooms.
>>    
>>
>
>So both target and source are on the same LAN, and the file transfer
>doesn't travel over the internet.
>  
>
Correct.

I might also add that your comments above about using dual NICS, turning 
off iptables internally, etc. are all valid.  I'll just note that this 
has become one of those issues in which I want to learn how to solve the 
problem at hand, even though there are a couple of "work-arounds." 
Sometimes I am just pragmatic, but I envision a need to solve this 
problem for a "public" ftp server in the near future.

Terry

More information about the fedora-list mailing list