hello i have setup a server in my dmz and noticed that i cant access the passive mode throught the susefirewall installed any ideas?? regards O.
It has something to do with the ports... Passive and active use two different ports, Find out what passive uses and make sure it is set up to accept it. Or you can post your SuSE FW config and I am sure some of the wonderful people here will look at it and give you some ideas. hello i have setup a server in my dmz and noticed that i cant access the passive mode throught the susefirewall installed any ideas?? regards O.
On Tuesday 23 April 2002 17:40, Michael Garabedian wrote:
It has something to do with the ports... Passive and active use two different ports, Find out what passive uses and make sure it is set up to accept it.
Active ftp means that the data connection is established from port 20 on the server to a high port (> 1023) on the client. This means that the client has to open up its firewall to high port connections, which can potentially be a security hole. Passive ftp on the other hand means that the data connection is established from the client to a high port on the server. This means that the client never has to accept inbound connections, and therefore won't have to open his firewall. On the other hand, the server will have to open *its* high ports. Theoretically, you should only have to put "ftp-data" in the "FW_ALLOW_INCOMING_HIGHPORTS_TCP" section of firewall.rc.config, but that has never worked for me. Put "yes" there and everything should work as intended, though make sure you don't have other things running on the server that listens to high ports, such as X. regards Anders
. In practice, I have never had problems with this when connecting to *nix servers, but always have to take down my firewall when connecting to Winduhs machines. On Tuesday, 23 April 2002 10:49, you wrote:
On Tuesday 23 April 2002 17:40, Michael Garabedian wrote:
It has something to do with the ports... Passive and active use two different ports, Find out what passive uses and make sure it is set up to accept it.
Active ftp means that the data connection is established from port 20 on the server to a high port (> 1023) on the client. This means that the client has to open up its firewall to high port connections, which can potentially be a security hole.
Passive ftp on the other hand means that the data connection is established from the client to a high port on the server. This means that the client never has to accept inbound connections, and therefore won't have to open his firewall.
On the other hand, the server will have to open *its* high ports. Theoretically, you should only have to put "ftp-data" in the "FW_ALLOW_INCOMING_HIGHPORTS_TCP" section of firewall.rc.config, but that has never worked for me. Put "yes" there and everything should work as intended, though make sure you don't have other things running on the server that listens to high ports, such as X.
regards Anders
* Anon. Coward (quantum@ultra2k.com) [020423 09:23]:
In practice, I have never had problems with this when connecting to *nix servers, but always have to take down my firewall when connecting to Winduhs machines.
That's because most (all?) windows ftp clients default to active mode and *nix default to passive. One of the most common complaints that ftpadmin receives is from some windows user who complains that their "firewall" said we were trying break into their machine....it's just them doing active ftp and ftp.suse.com opening a data connection to their machine of course but trying explaining that to them ;) -- -ckm
On Tuesday, 23 April 2002 11:48, you wrote:
* Anon. Coward (quantum@ultra2k.com) [020423 09:23]:
In practice, I have never had problems with this when connecting to *nix servers, but always have to take down my firewall when connecting to Winduhs machines.
That's because most (all?) windows ftp clients default to active mode and *nix default to passive. One of the most common complaints that ftpadmin receives is from some windows user who complains that their "firewall" said we were trying break into their machine....it's just them doing active ftp and ftp.suse.com opening a data connection to their machine of course but trying explaining that to them ;)
Thank you. Now it's clear.
participants (5)
-
Anders Johansson -
Anon. Coward -
Christopher Mahmood -
Michael Garabedian -
Omppu