Security setting to prevent passive ftp?

Matthew Saltzman mjs at ces.clemson.edu
Sun Jul 24 17:05:55 UTC 2005 

On Sun, 24 Jul 2005, Jon August wrote:

>
> Hmm - looks like that module fails to load.  Is there a log that would 
> explain why this failed?  Thanks for the help!

'cause my fingers got ahead of my brain.  It's "ip_conntrack_ftp".

Sorry...

>
> $ sudo /etc/rc.d/init.d/iptables restart
> Flushing firewall rules:                                   [  OK  ]
> Setting chains to policy ACCEPT: filter                    [  OK  ]
> Unloading iptables modules:                                [  OK  ]
> Applying iptables firewall rules:                          [  OK  ]
> Loading additional iptables modules: iptables_conntrack_ftp[FAILED]
>
> -Jon
>
>
>
>
>
> On Jul 24, 2005, at 6:36 AM, Matthew Saltzman wrote:
>
>
>> On Sat, 23 Jul 2005, Jonathan August wrote:
>> 
>> 
>> 
>>> 
>>> The modprobe ip_conntrack_ftp doesn't return anything and it seems to 
>>> still have an issue...  Do I need to reboot or something?
>>> 
>>> 
>> 
>> You can tell if the modprobe had the desired effect by issuing lsmod.
>> 
>> 
>> 
>>> 
>>> Also, what do I add to /etc/sysconfig/iptables-config?  There just seems 
>>> to be a few things in there with YES or NO settings...
>>> 
>>> 
>> 
>> IPTABLES_MODULES="iptables_conntrack_ftp"
>> 
>> No need to reboot, but you could "/sbin/service iptables restart". 
>> Shouldn't be necessary after the modprobe, but the iptables-config entry 
>> only takes effect after restarting iptables.
>> 
>> Are you sure all appropriate ports (20 and 21) are open (on the server and 
>> through the firewall)?  Is ncftpd configured correctly for passive access?
>> (I don't know anything about configuring ncftpd.  Just trying to think of 
>> things to check.)
>> 
>> 
>> 
>>> 
>>> ??
>>> 
>>> Thanks,
>>> -Jon
>>> 
>>> 
>>> 
>>> On Jul 23, 2005, at 10:12 AM, Matthew Saltzman wrote:
>>> 
>>> 
>>> 
>>>> On Sat, 23 Jul 2005, Alexander Dalloz wrote:
>>>> 
>>>> 
>>>>> Am Sa, den 23.07.2005 schrieb Jonathan August um 15:38:
>>>>> 
>>>>> 
>>>>>> For my users that use passive ftp, when they connect to ncftpd on my
>>>>>> server, the connection takes a long time and eventually for them as
>>>>>> dialup users, it times out.  If I try to ftp to the machine behind my
>>>>>> firewall and specify to use passive, as soon as I try anything that
>>>>>> sends data (ls, put, get), the connection gets dropped.  I turned off
>>>>>> SELinux, but this didn't help.  Any ideas?
>>>>>>     -Jon
>>>>>> 
>>>>>> 
>>>>> modprobe ip_conntrack_ftp
>>>>> 
>>>>> 
>>>> And to make it permanent, add to /etc/sysconfig/iptables-config.
>>>> 
>>>> 
>>>>> Alexander
>>>>> 
>>>>> 
>>>> -- 
>>>>         Matthew Saltzman
>>>> Clemson University Math Sciences
>>>> mjs AT clemson DOT edu
>>>> http://www.math.clemson.edu/~mjs
>>>> -- 
>>>> fedora-list mailing list
>>>> fedora-list at redhat.com
>>>> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>>>> 
>>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> -- 
>>         Matthew Saltzman
>> 
>> Clemson University Math Sciences
>> mjs AT clemson DOT edu
>> http://www.math.clemson.edu/~mjs
>> 
>> -- 
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>> 
>> 
>
>
>
>

-- 
 		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs

More information about the fedora-list mailing list