On 06/21/2007 02:59 AM, Fajar Priyanto wrote:

On Thursday 21 June 2007 15:30, Hans Linux wrote:

...

i always have bad experience with my proftp server. i have it running but i can't transfr any data. Everytime it always stuck at "Entering passive mode" for a long time and then timeout. But if I disable the firewall, it works well. So which port of firewall should i open? I do some googling and find out port 30000-30050 or 60000-65535, but it didn't work.

Hello Hans, It's not your proftp's fault. In passive mode, the ftp client will connect to the ftp server on tcp 21, then for data transfer it will open random high ports. In order to do this your kernel must have ip_conntrack_ftp module loaded, so that it can 'track' the connection for ftp.

I believe you can set it in your firewall to load the needed module. HTH,

Congratulations on the only correct answer so far :-) As for loading ip_conntrack_ftp, that is done in the SuSEfirewall2 script, so the OP must be using some other firewall. -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Sylvester schreib/napisał or just enlightened us thusly:

You can define the range ports which are used to establish passive connections by defining "PassivePorts" in the configuration file (likely to be /etc/proftpd.conf)

Add/modify this line to suit your needs: PassivePorts 65525 65530

Open appropriate ports in your firewall, and restart proftpd.

Well those are outbound ports you are talking about. Thus AFAIK no way to open them up in Yast itself. Nevertheless, there is a switch in the susefirewall config file so you can use them though. However, IMO the easiest way to run a ftp in the passive mode is to put the word 'ftp' instead of a 'specific port' into yast2 firewall configuration. -- Jan If I can do it, then it ain't that hard at all. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

Sylvester wrote:

He never mentioned if it was susefirewall. Anyway, those are inbound;

If someone didn't mention the type of his firewall, it's IMO best choice to assume he's using SUSEFirewall, at least while he's posted to the opensuse mailing list.

When the client sends "PASV", the server responds by opening a random (or configured by PassivePorts) port. Referring to this port as "$P".

The server then sends "PORT $P" back to client, which then connects to the server on port $P.

That is passive mode as far as I understand.

It's still doesn't change the fact that it can be solved on SeSEfirewall like this: /etc/sysconfig/SuSEfirewall2 # Enter all ports or known portnames below, seperated by a space. # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP. # e.g. if a webserver on the firewall should be accessible from the internet: # FW_SERVICES_EXT_TCP="www" # e.g. if the firewall should receive syslog messages from the dmz: # FW_SERVICES_DMZ_UDP="syslog" # For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols) # # Format: space separated list of ports, port ranges or well known # service names (see /etc/services) # # Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514" # FW_SERVICES_EXT_TCP="ftp" Cheers Jan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org