Firewall issues with setting up vsftp server

Chris Johnson chris.johnson at sekoworldwide.com
Thu Dec 16 20:49:09 UTC 2004 

Terry,
    Did you get this working?
    FTP protocol uses port 21 for the control connection (sending 
commands like cd, mkdir, etc...) and also uses port 20 for the data 
connection in "active mode". There was a problem using active mode; the 
server makes the data connection back to the client. As soon as 
firewalls were invented to protect the "client" machines everyones ftp 
data sessions wouldn't work. So enters Passive (PASV) ftp mode. In 
passive mode the server selects and tell the client machine a random 
high number port to connect to for the data session. Your data 
connections are timing out because the firewall isn't open on those 
random high number ports. There is an IPtabels kernel module maintain 
passive ftp state. try doing an 'insmod ftp_conntrack_ftp' and see if it 
helps.
good luck,
chrisj

Terry Linhardt wrote:

> I am attempting to set up an ftp server on an internal network. (All 
> hosts are 192.168.1.*)  I am using vsftp, but stumbling over an 
> iptables related issue.  Also, this is Fedora Core 3.
>
> vsftp is running as a stand-alone daemon. I used the "security level" 
> icon to permit ftp traffic on the server. At that point I CAN connect 
> from a remote client to the ftp server. I can login properly. I can cd 
> to a directory of choice. However, as soon as I try to download data 
> (or even do an ls), I get a message of "entering passive mode"  and 
> then "no route to host" error message. This problem can be eliminated 
> by going to /etc/rc.d/init.d and doing an "iptables stop", which turns 
> off all firewall features. However as soon as I reactivate the 
> iptables I once again get the "no route to host" message when I try to 
> transfer data.
>
> I am guessing that I am getting blocked by a closed port.  I've done 
> some research, and generally understand the concept, but don't 
> understand how to get past what appears to be a closed port issue 
> without opening up a large range of ports. While that may not be 
> distasteful on my private network, it is not desirable if I eventually 
> make this machine available to the outside world.
>
> Any guidance would be appreciated.
>
> Thanks...Terry
>


-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.296 / Virus Database: 265.5.4 - Release Date: 12/15/2004

More information about the fedora-list mailing list