On 2011-04-30 21:23, Carlos E. R. wrote:
On 2011-04-30 09:06, Per Jessen wrote:
Carlos E. R. wrote:
When this has occasionally happened to me, it has always been because the nf_conntrack_ftp module wasn't loaded.
I forgot that one. I'll try and report back.
No... it doesn't work. I have now "nf_conntrack_ftp" loaded on both sides, doesn't work, neither passive neither extended passive. The data connection ports are blocked by both firewalls. FW_LOAD_MODULES="nf_conntrack_netbios_ns nf_conntrack_ftp" Perhaps the firewall has to be told on what connections to apply that module. Ah, yes, I need "FW_SERVICES_ACCEPT_RELATED_EXT". Let me see, trying: FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp" No, doesn't work either. AH, it needs this: FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp 192.168.1.0/24,tcp,ftp-data" Both ports, both sides. Now it is working for me in passive mode, but not in extended passive mode. It worked for an instant in both, then broke again. Perhaps the syntax is wrong. The comment says: ## Type: string ## Default: # # Services to allow that are considered RELATED by the connection tracking # engine. # # Format: space separated list of net,protocol[,sport[,dport]] # # Example: # Allow samba broadcast replies marked as related by # nf_conntrack_netbios_ns from a certain network: # "192.168.1.0/24,udp,137" # What is sport,dport? There is no example there for ftp :-( I tried: FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp,ftp-data" but it does not work in any mode. In short, I have now, on both sides: FW_SERVICES_ACCEPT_RELATED_EXT="192.168.1.0/24,tcp,ftp \ 192.168.1.0/24,tcp,ftp-data" FW_LOAD_MODULES="nf_conntrack_netbios_ns nf_conntrack_ftp" And it only works in (plain) passive mode. Caveat: if I try 2 minutes later, it doesn't work: 226 File send OK. 174 bytes received in 00:00 (8.26 KB/s) ftp> dir ftp: No control connection for command. ftp> dir Not connected. ftp> Something has a too short memory. Could be the ftp server, could be the firewall. But I think it is a server timeout. -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar)