[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: allowing passive FTP from the outside

On Sun, 3 Apr 2005, Robert Slade wrote:

On Sat, 2005-04-02 at 22:33, Justin Zygmont wrote:
On Sat, 2 Apr 2005, Markku Kolkka wrote:

Justin Zygmont kirjoitti viestissään (lähetysaika lauantai, 2.
huhtikuuta 2005 12:23):
I know the problem is because a nonexistent iptables rule, i'm
just at a loss as to what the missing rules should look like.
The only thing that is different in this case is that I need
to use port 221 for FTP instead of 21,

That's what breaks everything. The FTP control connection must be on server port 21. Using a different port violates RFC 959 and ip_conntrack_ftp doesn't watch any other port for FTP traffic.

are you sure ftp_conntrack is even needed? I thought that's usually used just for stateful routing through a server, and not to connect to one from the outside. Also when I shut iptables down, it works, I can get a ftp listing.

Yes it does. ftp_contrack etc monitors the trafic on port 21 and
dynamically opens the higher no (data) ports that the control on port 21
asks for. Turning off iptables just opens all the ports.

If you are using vsftp, then you can set the ports used by passive ftp
and then open them in iptables, but this is a risk as they can be
abused. This may be possible with other ftp servers.

then wouldn't this mean that FTP on regular port 21 would not work at all unless you had ftp_conntrack loaded? Because i've ran FTP servers before without it, and it worked fine. Do you happen to remember this option in vsftpd? I don't recall seeing it.

Thanks for the replies everyone..
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]