[opensuse-security] Setting up FTP and SuseFirewall
pure-ftpd vs vsftpd: I wish to setup FTP on a OpenSUSE 10.2 workstation to receive scanned documents from a networked MFP machine which has "Scan to FTP". First I enabled pure-ftpd service with xinetd, deactivated SuSEFirewall and was able to receive scanned ftp documents in my homedir as seleced. Next I tried to enable the more secure vsftpd instead, but did't get any FTP document, even not with the FireWall deactivated. Maybe also something also has to be configured in vsftpd.conf? SuseFirewall: I have a default SuseFirewall setup just with SSH enabled for external Zone access. My question is how configure SUSEFirewall preferably with YaST to receive FTP documents from my network scanner? I'm using fixed IP addresses on the LAN, not DHCP. I haven't activated Firewall for the Internal zone and thought therefore everything on my LAN had access, but scanned documents don't come through. I've read FTP may need that port 20-21 both TCP and UDP in the Firewall, maybe this is for External zone only? Rgds, Terje J. Hanssen --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
I have used pure-ftpd before on SuSE 9.2 and on Fedora. There was some sort of bug in pure-ftpd that was to do with creating virtual user accounts. This was so slow in getting fixed, so I dumped pure-ftpd for proftpd instead. On FC 6 proftpd 1.3.0a works right out of the box for me. No messing with virtual user accounts. I just used the default user settings, which it gets from the passwd file. [quote] Flexible, stable and highly-configurable FTP server ProFTPD is an enhanced FTP server with a focus toward simplicity, security, and ease of configuration. It features a very Apache-like configuration syntax, and a highly customizable server infrastructure, including support for multiple 'virtual' FTP servers, anonymous FTP, and permission-based directory visibility. This package defaults to the standalone behaviour of ProFTPD, but all the needed scripts to have it run by xinetd instead are included. [/quote] If proftpd is available on SuSE I would recommend giving that a look at as well. HTH Regards Keith On Wed, 22 Aug 2007, Terje J. Hanssen wrote:
To: opensuse-security@opensuse.org From: Terje J. Hanssen <terje@nordland-teknikk.no> Subject: [opensuse-security] Setting up FTP and SuseFirewall
pure-ftpd vs vsftpd: I wish to setup FTP on a OpenSUSE 10.2 workstation to receive scanned documents from a networked MFP machine which has "Scan to FTP". First I enabled pure-ftpd service with xinetd, deactivated SuSEFirewall and was able to receive scanned ftp documents in my homedir as seleced. Next I tried to enable the more secure vsftpd instead, but did't get any FTP document, even not with the FireWall deactivated. Maybe also something also has to be configured in vsftpd.conf?
SuseFirewall: I have a default SuseFirewall setup just with SSH enabled for external Zone access. My question is how configure SUSEFirewall preferably with YaST to receive FTP documents from my network scanner?
I'm using fixed IP addresses on the LAN, not DHCP. I haven't activated Firewall for the Internal zone and thought therefore everything on my LAN had access, but scanned documents don't come through. I've read FTP may need that port 20-21 both TCP and UDP in the Firewall, maybe this is for External zone only?
Rgds, Terje J. Hanssen
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
------------------------------------------------------------ http://www.karsites.net http://www.raised-from-the-dead.org.uk This email address is challenge-response protected with http://www.tmda.net ------------------------------------------------------------ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Wednesday 22 August 2007 19:27:53 Terje J. Hanssen wrote:
pure-ftpd vs vsftpd: I wish to setup FTP on a OpenSUSE 10.2 workstation to receive scanned documents from a networked MFP machine which has "Scan to FTP". First I enabled pure-ftpd service with xinetd, deactivated SuSEFirewall and was able to receive scanned ftp documents in my homedir as seleced. Next I tried to enable the more secure vsftpd instead, but did't get any FTP document, even not with the FireWall deactivated. Maybe also something also has to be configured in vsftpd.conf?
SuseFirewall: I have a default SuseFirewall setup just with SSH enabled for external Zone access. My question is how configure SUSEFirewall preferably with YaST to receive FTP documents from my network scanner?
I'm using fixed IP addresses on the LAN, not DHCP. I haven't activated Firewall for the Internal zone and thought therefore everything on my LAN had access, but scanned documents don't come through. I've read FTP may need that port 20-21 both TCP and UDP in the Firewall, maybe this is for External zone only?
Do you have any relevant log message regarding the error? -- Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial http://linux2.arinet.org 05:17:52 up 4:17, 2.6.20-16-generic GNU/Linux Let's use OpenOffice. http://www.openoffice.org
Fajar Priyanto wrote:
On Wednesday 22 August 2007 19:27:53 Terje J. Hanssen wrote:
pure-ftpd vs vsftpd: I wish to setup FTP on a OpenSUSE 10.2 workstation to receive scanned documents from a networked MFP machine which has "Scan to FTP". First I enabled pure-ftpd service with xinetd, deactivated SuSEFirewall and was able to receive scanned ftp documents in my homedir as seleced. Next I tried to enable the more secure vsftpd instead, but did't get any FTP document, even not with the FireWall deactivated. Maybe also something also has to be configured in vsftpd.conf?
SuseFirewall: I have a default SuseFirewall setup just with SSH enabled for external Zone access. My question is how configure SUSEFirewall preferably with YaST to receive FTP documents from my network scanner?
I'm using fixed IP addresses on the LAN, not DHCP. I haven't activated Firewall for the Internal zone and thought therefore everything on my LAN had access, but scanned documents don't come through. I've read FTP may need that port 20-21 both TCP and UDP in the Firewall, maybe this is for External zone only?
Do you have any relevant log message regarding the error?
Not sure these are the most relevant messages, but here are something: 1) ftpd enabled, firewall activated (no interface for internal zone): -------------------------------------------------------------------- no document comes through: /var/log/firewall Aug 23 10:03:24 alfa kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:13:72:a8:c3:79:00:04:00:9b:0c:a4:08:00 SRC=192.9.200.8 DST=192.9.200.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1162 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40000080A037B6B3C0000000001030300) /var/log/warn Aug 23 09:55:28 alfa SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. Lexmark scanlog: Could not scan to ftp connection error code is -1 2) vsftp enabled, firewall deactivated: --------------------------------------- no document comes through: grep vsftp /var/log/* messages:Aug 23 10:11:29 alfa xinetd[3511]: Reading included configuration file: /etc/xinetd.d/vsftpd [file=/etc/xinetd.d/vsftpd] [line=90] /var/log/warn Aug 23 09:55:28 alfa kernel: Netfilter messages via NETLINK v0.30. Aug 23 09:55:28 alfa kernel: ip_conntrack version 2.4 (8192 buckets, 65536 max) - 288 bytes per conntrack Aug 23 10:10:54 alfa SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled. Lexmark scanlog: Could not scan to ftp connection error code is -4 500 OOPS: could bind listening IPv4 socket My note: As far as can see, there is no configuration possibility regarding passiv/active ftp setting on Lexmark's side Rgds, Terje J. Hanssen --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hei Terje,
1) ftpd enabled, firewall activated (no interface for internal zone): -------------------------------------------------------------------- no document comes through:
/var/log/firewall Aug 23 10:03:24 alfa kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:13:72:a8:c3:79:00:04:00:9b:0c:a4:08:00 SRC=192.9.200.8 DST=192.9.200.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1162 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40000080A037B6B3C0000000001030300)
--> so you have to enable port 21 ("DPT") on the firewall. You can do this for a single host/network in the variable FW_TRUSTED_NETS FW_TRUSTED_NETS = "192.9.200.8/32,tcp,21" Also have a look at the "FW_LOAD_MODULES" variable. AFAIK the module "ip_conntrack_ftp" tries to be smart to open the other ports needed for FTP and to only open them for the current FTP session and then close them again. Then look for more error messages.
/var/log/warn Aug 23 09:55:28 alfa SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
--> I think this message is unrelated to your problem. Tell us if you get more error messages. Cheers, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Armin Schoech wrote:
Hei Terje,
1) ftpd enabled, firewall activated (no interface for internal zone): -------------------------------------------------------------------- no document comes through:
/var/log/firewall Aug 23 10:03:24 alfa kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:13:72:a8:c3:79:00:04:00:9b:0c:a4:08:00 SRC=192.9.200.8 DST=192.9.200.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1162 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40000080A037B6B3C0000000001030300)
--> so you have to enable port 21 ("DPT") on the firewall. You can do this for a single host/network in the variable FW_TRUSTED_NETS
FW_TRUSTED_NETS = "192.9.200.8/32,tcp,21"
Thanks, this worked ok for pure-ftp
Also have a look at the "FW_LOAD_MODULES" variable. AFAIK the module "ip_conntrack_ftp" tries to be smart to open the other ports needed for FTP and to only open them for the current FTP session and then close them again.
Tried this first, but it didn't work in my case
Then look for more error messages.
/var/log/warn Aug 23 09:55:28 alfa SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
--> I think this message is unrelated to your problem.
--Terje --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Armin Schoech wrote:
Hei Terje,
1) ftpd enabled, firewall activated (no interface for internal zone): -------------------------------------------------------------------- no document comes through:
/var/log/firewall Aug 23 10:03:24 alfa kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:13:72:a8:c3:79:00:04:00:9b:0c:a4:08:00 SRC=192.9.200.8 DST=192.9.200.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1162 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40000080A037B6B3C0000000001030300)
--> so you have to enable port 21 ("DPT") on the firewall. You can do this for a single host/network in the variable FW_TRUSTED_NETS
FW_TRUSTED_NETS = "192.9.200.8/32,tcp,21"
I tried this, disabled the firewall, but didn't get vsftpd to receive ftp documents from my scanner. I preferably wish to use vsftpd, because beside my fixed IP networked scanner, I also wish to connect from outside from my home PC using ADSL and DHCP
Also have a look at the "FW_LOAD_MODULES" variable. AFAIK the module "ip_conntrack_ftp" tries to be smart to open the other ports needed for FTP and to only open them for the current FTP session and then close them again.
Then look for more error messages.
/var/log/warn Aug 23 09:55:28 alfa SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
--> I think this message is unrelated to your problem.
Tell us if you get more error messages.
Same error message as above from the scanner's ftp log # grep vsftp /var/log/* /var/log/messages:Aug 27 11:22:24 alfa xinetd[3513]: Reading included configuration file: /etc/xinetd.d/vsftpd [file=/etc/xinetd.d/vsftpd] [line=90] --Terje --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2007-08-27 at 11:41 +0200, Terje J. Hanssen wrote:
--> so you have to enable port 21 ("DPT") on the firewall. You can do this for a single host/network in the variable FW_TRUSTED_NETS
FW_TRUSTED_NETS = "192.9.200.8/32,tcp,21"
I tried this, disabled the firewall, but didn't get vsftpd to receive ftp documents from my scanner.
I assume your scanner _is_ in 192.9.200.8/32.
I preferably wish to use vsftpd, because beside my fixed IP networked scanner, I also wish to connect from outside from my home PC using ADSL and DHCP
dhcp form internet? :-? Anyway, that's a problem for your adsl router.
Then look for more error messages.
Same error message as above from the scanner's ftp log
# grep vsftp /var/log/* /var/log/messages:Aug 27 11:22:24 alfa xinetd[3513]: Reading included configuration file: /etc/xinetd.d/vsftpd [file=/etc/xinetd.d/vsftpd] [line=90]
Irrelevant. That's not an error message. you have to look at the firewall log. Like this: Jul 15 03:28:44 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:40:f4:2e:b1:21:00:30:da:70:d7:ea:.... - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFG29bHtTMYHG2NR9URAhNpAKCFmm2Y4HI0xXDALLR550/ixdgBwACfWYrh fQfkvs09at69pZ1bS3DsBfo= =2d2D -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (5)
-
Armin Schoech -
Carlos E. R. -
Fajar Priyanto -
Keith Roberts -
Terje J. Hanssen