[opensuse] What is the currently recommented firwall settings recommended for FTP?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I had this working time ago, with this same configuration, but now it doesn't work now. I'm testing FTP with two local linux machines (oS 11.2). The server has: FW_TRUSTED_NETS="192.168.X.Y,tcp,ftp 192.168.X.Y,tcp,ftp-data" The client firewall has not been touched. Both machines have nf_conntrack, nf_conntrack_ipv4, nf_conntrack_ipv6 loaded /automatically). With anonymous ftp from client, default settings (Extended Passive Mode), a "dir" doesn't work unless I bring down the server firewall. Passive mode doesn't work either, until I bring down the firewall on the client. Yes, this is contrary to design, passive mode should be easy on the client side. It doesn't even work even if I put in the client side firewall: FW_TRUSTED_NETS="192.168.X.Z,tcp,ftp 192.168.X.Z,tcp,ftp-data" But the client firewall drops it: Apr 30 00:37:47 minas-tirith kernel: [21595.671840] SFW2-INext-DROP-DEFLT IN=wlan0 OUT= MAC=0c:ee... SRC=192.168.X.Z DST=192.168.X.Y LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=33999 DF PROTO=TCP SPT=20 DPT=35556 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A175CEDB70000000001030307) This is contrary to the rule above, port 20 is ftp-data. ftp> passive Passive mode: off; fallback to active mode: off. ftp> dir 200 EPRT command successful. Consider using EPSV. ^C ftp> passive Passive mode: on; fallback to active mode: on. ftp> dir 229 Entering Extended Passive Mode (|||30054|) ^C Althoug I think it is not really using passive mode. Active mode I can not try, because: ftp> active ?Invalid command. ftp> I know that it is the ftp data connection which is not working. But I have no idea how this has to be set, currently. Yes, I know, I should use sftp/ssh. That works. The question now is how to configure the SuSEfirewall on both sides for ftp to work, preferably on all modes. For knowledge sake :-) - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAk27QOIACgkQtTMYHG2NR9V0ywCeP6vPYJaFRzSGg9GnVCGmsxz9 FEwAmwYLQOpINpjVyyHQhfoNFgmKaOo1 =EVcm -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carlos E. R. wrote:
I know that it is the ftp data connection which is not working. But I have no idea how this has to be set, currently.
When this has occasionally happened to me, it has always been because the nf_conntrack_ftp module wasn't loaded. -- Per Jessen, Zürich (10.6°C) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2011-04-30 09:06, Per Jessen wrote:
Carlos E. R. wrote:
I know that it is the ftp data connection which is not working. But I have no idea how this has to be set, currently.
When this has occasionally happened to me, it has always been because the nf_conntrack_ftp module wasn't loaded.
I forgot that one. I'll try and report back. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk28YcMACgkQtTMYHG2NR9V+9wCgi08dPSh0N6Irfhbl65XZ7HT5 I7IAn1zqDtTudDsXzRcMCAMZ84P6iVOf =crPO -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2011-04-30 21:23, Carlos E. R. wrote:
On 2011-04-30 09:06, Per Jessen wrote:
Carlos E. R. wrote:
When this has occasionally happened to me, it has always been because the nf_conntrack_ftp module wasn't loaded.
I forgot that one. I'll try and report back.
No... it doesn't work. I have now "nf_conntrack_ftp" loaded on both sides, doesn't work, neither passive neither extended passive. The data connection ports are blocked by both firewalls. FW_LOAD_MODULES="nf_conntrack_netbios_ns nf_conntrack_ftp" Perhaps the firewall has to be told on what connections to apply that module. Ah, yes, I need "FW_SERVICES_ACCEPT_RELATED_EXT". Let me see, trying: FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp" No, doesn't work either. AH, it needs this: FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp 192.168.1.0/24,tcp,ftp-data" Both ports, both sides. Now it is working for me in passive mode, but not in extended passive mode. It worked for an instant in both, then broke again. Perhaps the syntax is wrong. The comment says: ## Type: string ## Default: # # Services to allow that are considered RELATED by the connection tracking # engine. # # Format: space separated list of net,protocol[,sport[,dport]] # # Example: # Allow samba broadcast replies marked as related by # nf_conntrack_netbios_ns from a certain network: # "192.168.1.0/24,udp,137" # What is sport,dport? There is no example there for ftp :-( I tried: FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp,ftp-data" but it does not work in any mode. In short, I have now, on both sides: FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp \ 192.168.1.0/24,tcp,ftp-data" FW_LOAD_MODULES="nf_conntrack_netbios_ns nf_conntrack_ftp" And it only works in (plain) passive mode. Caveat: if I try 2 minutes later, it doesn't work: 226 File send OK. 174 bytes received in 00:00 (8.26 KB/s) ftp> dir ftp: No control connection for command. ftp> dir Not connected. ftp> Something has a too short memory. Could be the ftp server, could be the firewall. But I think it is a server timeout. -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar)
On Sun, 2011-05-01 at 03:32 +0200, Carlos E. R. wrote:
Perhaps the syntax is wrong. The comment says:
## Type: string ## Default: # # Services to allow that are considered RELATED by the connection tracking # engine. # # Format: space separated list of net,protocol[,sport[,dport]] # # Example: # Allow samba broadcast replies marked as related by # nf_conntrack_netbios_ns from a certain network: # "192.168.1.0/24,udp,137" #
What is sport,dport? There is no example there for ftp :-(
sport = Source Port dport = Destination Port. For an FTP connection that's the bad part. The control port (21) is rather simple: On the server, source port typically is between 1024 and 65k and dport is 21. The data port is much worse. And it all depends between active and passive sessions. Are you using TLS over FTP? Then the entire conntracking does not work (the PORT command is transmitted encrypted, the kernel doesn't see it and can't open the respective ports). What I have in my FW config (sorry, iptables.. but you can translate this to your setup) chain INPUT: ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:20:21 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:61052:61057 chain OUTPUT: ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:20:21 state RELATED,ESTABLISHED ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp spts:61052:61057 state RELATED,ESTABLISHED my vsftp.conf contains to make this work in passive mode: pasv_min_port=61052 pasv_max_port=61057 Hope this helps you a bit out. Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2011-05-01 11:14, Dimstar / Dominique Leuenberger wrote:
On Sun, 2011-05-01 at 03:32 +0200, Carlos E. R. wrote:
What is sport,dport? There is no example there for ftp :-(
sport = Source Port dport = Destination Port.
Ah, destination. I wonder... do they have to match both, or any of them? I mean, the condition is anded or ored? I'm thinking the rule might be: 192.168.1.0/24,tcp,ftp,ftp 192.168.1.0/24,tcp,ftp-data,ftp-data I'll try that tomorrow.
Are you using TLS over FTP? Then the entire conntracking does not work (the PORT command is transmitted encrypted, the kernel doesn't see it and can't open the respective ports).
No, just plain ftp. If I want protection, I use ssh/sftp, far easier to configure. Right now, it is just for my education, I don't need to use it right now. The question arouse in the forum, and I realized I do not know how to do it. I had it working time ago, with a setting that opened all high ports that has disappeared from the distro. Or a list of 10 ports. At least now I have it working in passive mode.
What I have in my FW config (sorry, iptables.. but you can translate this to your setup)
Ha, ha. :-) I'm not that good. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk29+PIACgkQtTMYHG2NR9XLqQCgmIhR3OMwacUexZMT3HTbmLIX WGUAn1sIhXd7/Q29DPq+Kg/df4H5qkcj =MV2/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 05/02/2011 02:21 AM, Carlos E. R. wrote:
At least now I have it working in passive mode.
What I have in my FW config (sorry, iptables.. but you can translate this to your setup)
Ha, ha. :-) I'm not that good.
If you are using vsftpd,then have a look at the service file to configure it with SuSEfirewall2 and then use the service name in FW_CONFIGURATIONS_WHATEVER_ZONE_YOU_WANT /etc/sysconfig/SuSEfirewall2.d/services/vsftpd Hope this helps Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2011-05-02 at 13:17 +0200, Togan Muftuoglu wrote:
If you are using vsftpd,then have a look at the service file to configure it with SuSEfirewall2 and then use the service name in FW_CONFIGURATIONS_WHATEVER_ZONE_YOU_WANT
/etc/sysconfig/SuSEfirewall2.d/services/vsftpd
I did look into that directory, but looking for "ftp", not "vsftpd": I did not notice the entry. That file contains: ## Name: vsftpd Server ## Description: Opens ports for vsftpd Server. # space separated list of allowed TCP ports TCP="ftp 30000:30100" # space separated list of allowed UDP ports UDP="" # space separated list of allowed RPC services RPC="" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST="" Instead of replacing that for my configuration, what I did was change one line: FW_TRUSTED_NETS="192.168.X.Y,tcp,ftp 192.168.X.Y,tcp,ftp-data 192.168.X.Y,tcp,30000:30100" Just the last part. With that change now I have both passive and extended passive modes working. What I do not know (the client I use doesn't have it) is if active would work, my guess is "no". I wonder why "nf_conntrack_ftp" doesn't do it. - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAk2/A5oACgkQtTMYHG2NR9X32gCfak5L4OwaoGYd9vs9vM8lzgks 4mgAniu9kqQMKa42YQU4/EOV5g97/ZUD =2HT9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2011-05-02 at 02:21 +0200, I wrote:
I'm thinking the rule might be:
192.168.1.0/24,tcp,ftp,ftp 192.168.1.0/24,tcp,ftp-data,ftp-data
I'll try that tomorrow.
Nope, that one doesn't work. - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAk2+/McACgkQtTMYHG2NR9U6VgCfR3hOvwNosMPsZQXw9wNo4TR7 rZ4AoILprHzYjdiAVlonokc+O5SnSFxq =BHYA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Mon, 2011-05-02 at 20:49 +0200, Carlos E. R. wrote:
On Monday, 2011-05-02 at 02:21 +0200, I wrote:
I'm thinking the rule might be:
192.168.1.0/24,tcp,ftp,ftp 192.168.1.0/24,tcp,ftp-data,ftp-data
I'll try that tomorrow.
Nope, that one doesn't work.
No, that would imply that the client uses the same ports as the server for communication, which is impossible (you could only have one FTP session open for one, then FTP runs on port 20 & 21, which are privileged ports, so you could not use them as non-root). On the server, you'd need something like: 192.168.1.0/24,tcp,ftp 102.168.1.0/24,tcp,ftp-data Together with the conntrack module, this should get you going. (192.168.1.0/24 are the machines in the network, that are allowed to reach your server) Dominique -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2011-05-02 21:12, Dimstar / Dominique Leuenberger wrote:
On Mon, 2011-05-02 at 20:49 +0200, Carlos E. R. wrote:
On the server, you'd need something like: 192.168.1.0/24,tcp,ftp 102.168.1.0/24,tcp,ftp-data Yes, that's what I have.
Together with the conntrack module, this should get you going. (192.168.1.0/24 are the machines in the network, that are allowed to reach your server)
Yes, but it doesn't. I had to explicitly open the data ports the server uses (see the other post). The conntrack module only works for plain passive mode, not for the extended passive mode. I don't know if that is intentional or a bug. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk2/BkQACgkQtTMYHG2NR9XmEwCgmDAAWCG/5bznlm95bD5e29Nh 588AniBHUPgA4gDYNj/YpHw06LxKDas6 =rUBu -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (6)
-
Carlos E. R.
-
Carlos E. R.
-
Carlos E. R.
-
Dimstar / Dominique Leuenberger
-
Per Jessen
-
Togan Muftuoglu