[opensuse] problem connecting with vsftp (12.3)
Hello, I have unexpected problem connecting to my 12.3 server using ftp. I nearly never use ftp to connect to this server, but wordpress install needs it. I have vsftp running and need to login using root account (I know...) the problem may (or not) come from the fact the server is a virtual machine ports 20 & 21 are forwarded by the host to the same on the guest (host and guest same 12.3) root was removed from /etc/ftpusers and the vsftpd service restarted when I ftp root@server.tld, I *can* log, issue a pwd command (->/root) or a cd command, but ls immediately close the connection. same, ftp root@... with dolphin opens the connection but give a "can't read" message. my old config file (11.4, working) write_enable=YES dirmessage_enable=YES nopriv_user=ftpsecure ftpd_banner=Bienvenue sur le ftp de Dodin.info ls_recurse_enable=YES local_enable=YES local_umask=022 anonymous_enable=YES anon_world_readable_only=YES anon_umask=022 syslog_enable=YES connect_from_port_20=YES pam_service_name=vsftpd listen_ipv6=YES ssl_enable=NO pasv_min_port=30000 pasv_max_port=30100 the new 12.3 config file: write_enable=YES dirmessage_enable=YES nopriv_user=ftpsecure ftpd_banner=Bienvenue sur le ftp de Nemo. local_enable=YES chroot_local_user=YES anonymous_enable=NO anon_world_readable_only=YES syslog_enable=NO connect_from_port_20=YES pam_service_name=vsftpd listen=YES ssl_enable=NO pasv_min_port=30000 pasv_max_port=30100 anon_mkdir_write_enable=NO anon_root=/srv/ftp anon_upload_enable=NO chroot_local_user=NO ftpd_banner=Bienvenue sur le ftp de Nemo idle_session_timeout=900 log_ftp_protocol=NO max_clients=10 max_per_ip=3 pasv_enable=YES ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=NO (last line was YES, but YES or NO do not change my problem) If I simply copy the 11.4 file to the new server, the vsftp start hangs.. any idea? thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Hello,
I have unexpected problem connecting to my 12.3 server using ftp.
I nearly never use ftp to connect to this server, but wordpress install needs it.
I have vsftp running and need to login using root account (I know...)
the problem may (or not) come from the fact the server is a virtual machine
ports 20 & 21 are forwarded by the host to the same on the guest (host and guest same 12.3)
For ftp, don't you need to load nf_conntrack_ftp or something like that too? -- Per Jessen, Zürich (14.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday 02 November 2013, jdd wrote:
Hello,
I have unexpected problem connecting to my 12.3 server using ftp.
I nearly never use ftp to connect to this server, but wordpress install needs it.
I have vsftp running and need to login using root account (I know...)
the problem may (or not) come from the fact the server is a virtual machine
ports 20 & 21 are forwarded by the host to the same on the guest (host and guest same 12.3)
root was removed from /etc/ftpusers and the vsftpd service restarted
when I ftp root@server.tld, I *can* log, issue a pwd command (->/root) or a cd command, but ls immediately close the connection.
Does it work locally on that server? ftp root@localhost ftp root@public_ip cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 02/11/2013 15:40, Ruediger Meier a écrit :
Does it work locally on that server? ftp root@localhost
same thing. Connect ok, pwd ok, ls crash (ftp server stops) I allowed logs (but still no logs in /var/logs ?) ftp localhost Trying 127.0.0.1... Connected to localhost. 220 Bienvenue sur le ftp de Nemo Name (localhost:root): 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/root" ftp> ls 500 OOPS: priv_sock_get_int 421 Service not available, remote server has closed connection. jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday 02 November 2013, jdd wrote:
Le 02/11/2013 15:40, Ruediger Meier a écrit :
Does it work locally on that server? ftp root@localhost
same thing. Connect ok, pwd ok, ls crash (ftp server stops)
I allowed logs (but still no logs in /var/logs ?)
ftp localhost Trying 127.0.0.1... Connected to localhost. 220 Bienvenue sur le ftp de Nemo Name (localhost:root): 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files.
ftp> pwd
257 "/root"
ftp> ls
500 OOPS: priv_sock_get_int
421 Service not available, remote server has closed connection.
Maybe this one https://bugzilla.redhat.com/show_bug.cgi?id=845980 workaround: seccomp_sandbox=NO cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 02/11/2013 19:12, Ruediger Meier a écrit :
Maybe this one https://bugzilla.redhat.com/show_bug.cgi?id=845980 workaround: seccomp_sandbox=NO
I found it also, no change but in the mean time I got a not working ftp config (some typo, presumably), so I fired Yast and reconfigure ftp got listen=YES anon_mkdir_write_enable=NO anon_root=/srv/ftp anon_upload_enable=NO anonymous_enable=NO chroot_local_user=NO ftpd_banner=Bienvenue sur le ftp de Nemo idle_session_timeout=900 local_enable=YES log_ftp_protocol=YES max_clients=10 max_per_ip=3 pasv_enable=YES pasv_max_port=40500 pasv_min_port=40000 ssl_enable=NO ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=YES syslog_enable=YES write_enable=YES now I can go to ftp, have the login, but the passwd is refused... :-( thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday 02 November 2013, jdd wrote:
Le 02/11/2013 19:12, Ruediger Meier a écrit :
Maybe this one https://bugzilla.redhat.com/show_bug.cgi?id=845980 workaround: seccomp_sandbox=NO
I found it also, no change
but in the mean time I got a not working ftp config (some typo, presumably), so I fired Yast and reconfigure ftp got
listen=YES anon_mkdir_write_enable=NO anon_root=/srv/ftp anon_upload_enable=NO anonymous_enable=NO chroot_local_user=NO ftpd_banner=Bienvenue sur le ftp de Nemo idle_session_timeout=900 local_enable=YES log_ftp_protocol=YES max_clients=10 max_per_ip=3 pasv_enable=YES pasv_max_port=40500 pasv_min_port=40000 ssl_enable=NO ssl_sslv2=NO ssl_sslv3=NO ssl_tlsv1=YES syslog_enable=YES write_enable=YES
now I can go to ftp, have the login, but the passwd is refused...
Have you tried from localhost again? ftp is a bit complicated for any port forwardding, iptables etc. For me it looks like passive mode does not work. You could try ftp -A or for the server pasv_enable=NO cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 02/11/2013 19:53, Ruediger Meier a écrit :
Have you tried from localhost again? ftp is a bit complicated for any port forwardding, iptables etc.
For me it looks like passive mode does not work. You could try ftp -A or for the server pasv_enable=NO
Finally, after lot of attempts, I could get a working config with: write_enable=YES dirmessage_enable=YES nopriv_user=ftpsecure ls_recurse_enable=YES local_enable=YES anonymous_enable=NO connect_from_port_20=YES pam_service_name=vsftpd listen=YES pasv_min_port=30000 pasv_max_port=30100 anon_mkdir_write_enable=NO anon_root=/srv/ftp anon_upload_enable=NO ftpd_banner=Bienvenue sur le ftp de Nemo. pasv_enable=NO seccomp_sandbox=NO There where *two* problems. first seccomp_sandbox is *not* compatible with the openSUSE (yast) ssl options. I had to disable them to have vsftp launch with this last line. then pasv works locally, but not remotely. I yet have to test with wordpress, too late tomorrow :-) but by the way: * is it necessary to masquerade the port 20 (ftp_data)? I did it with no change * on remote connection all seems to work well, but when doing "ls", the message "EXTENSIVE passive mode..." displays... and keep forever. if killing (control C), I get a message with a large listing of files, as if the ls tryed to list all the server's files thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Saturday 02 November 2013, jdd wrote:
Le 02/11/2013 19:53, Ruediger Meier a écrit :
Have you tried from localhost again? ftp is a bit complicated for any port forwardding, iptables etc.
For me it looks like passive mode does not work. You could try ftp -A or for the server pasv_enable=NO
Finally, after lot of attempts, I could get a working config with:
write_enable=YES dirmessage_enable=YES nopriv_user=ftpsecure ls_recurse_enable=YES local_enable=YES anonymous_enable=NO connect_from_port_20=YES pam_service_name=vsftpd listen=YES pasv_min_port=30000 pasv_max_port=30100 anon_mkdir_write_enable=NO anon_root=/srv/ftp anon_upload_enable=NO ftpd_banner=Bienvenue sur le ftp de Nemo. pasv_enable=NO seccomp_sandbox=NO
There where *two* problems.
first seccomp_sandbox is *not* compatible with the openSUSE (yast) ssl options. I had to disable them to have vsftp launch with this last line.
then pasv works locally, but not remotely.
I yet have to test with wordpress, too late tomorrow :-)
but by the way:
* is it necessary to masquerade the port 20 (ftp_data)? I did it with no change
Don't know exactly yet. Usually you need to load kernel modules like Per mentioned (nf_conntrack_ipv6, nf_conntrack_ipv4, nf_conntrack_ftp, nf_nat_ftp ...) If you use /etc/sysconfig/SuSEfirewall2 FW_LOAD_MODULES="..." also see /etc/sysconfig/SuSEfirewall2.d/services/vsftpd Could be that yast firewall is able to set it up correctly somehow. cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 02/11/2013 21:45, Ruediger Meier a écrit :
Could be that yast firewall is able to set it up correctly somehow.
AFAIR, there is no firewall on this machine (single server) - of course there is one on the host thanks see this tomorrow (22h here) jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 02/11/2013 21:45, Ruediger Meier a écrit :
On Saturday 02 November 2013, jdd wrote:
I yet have to test with wordpress, too late tomorrow :-)
wordpress don't works. (ftp don't works for wordpress), may be it needs passive mode?
Don't know exactly yet. Usually you need to load kernel modules like Per mentioned (nf_conntrack_ipv6, nf_conntrack_ipv4, nf_conntrack_ftp, nf_nat_ftp ...)
no such module loaded. I can load it manually, but I see no difference jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 02/11/2013 21:45, Ruediger Meier a écrit :
On Saturday 02 November 2013, jdd wrote:
I yet have to test with wordpress, too late tomorrow :-)
wordpress don't works. (ftp don't works for wordpress), may be it needs passive mode?
Don't know exactly yet. Usually you need to load kernel modules like Per mentioned (nf_conntrack_ipv6, nf_conntrack_ipv4, nf_conntrack_ftp, nf_nat_ftp ...)
no such module loaded. I can load it manually, but I see no difference jdd
Believe me, you need it for FTP to work probably. -- Per Jessen, Zürich (10.8°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
jdd wrote:
Le 02/11/2013 21:45, Ruediger Meier a écrit :
On Saturday 02 November 2013, jdd wrote:
I yet have to test with wordpress, too late tomorrow :-)
wordpress don't works. (ftp don't works for wordpress), may be it needs passive mode?
Don't know exactly yet. Usually you need to load kernel modules like Per mentioned (nf_conntrack_ipv6, nf_conntrack_ipv4, nf_conntrack_ftp, nf_nat_ftp ...)
no such module loaded. I can load it manually, but I see no difference jdd
Believe me, you need it for FTP to work probably.
... properly. -- Per Jessen, Zürich (11.0°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 03/11/2013 16:07, Per Jessen a écrit :
Don't know exactly yet. Usually you need to load kernel modules like Per mentioned (nf_conntrack_ipv6, nf_conntrack_ipv4, nf_conntrack_ftp, nf_nat_ftp ...)
Believe me, you need it for FTP to work probably.
... properly.
I have more info now. with passive mode enabled ftp from localhost works nicely ftp from remote host begin to wait a very long time (2 minutes?) then gives the result of ls and wait no more on subsequent commands. Filezilla give an error message Le serveur a envoyé une réponse passive avec une adresse non routable. Adresse remplacée par celle du serveur. that is "server give a passive answer with a non routable address, replaced by router's one" but of course (?) this machine is a virtual one and /etc/hosts only have local IP, filezilla gives 227 Entering Passive Mode (192,168,56,101,117,135) of course it can't work. may be I have to give somewere the public IP? but where? thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 03/11/2013 16:07, Per Jessen a écrit :
Don't know exactly yet. Usually you need to load kernel modules like Per mentioned (nf_conntrack_ipv6, nf_conntrack_ipv4, nf_conntrack_ftp, nf_nat_ftp ...)
Believe me, you need it for FTP to work probably.
... properly.
I have more info now.
with passive mode enabled
ftp from localhost works nicely ftp from remote host begin to wait a very long time (2 minutes?) then gives the result of ls and wait no more on subsequent commands. Filezilla give an error message
Le serveur a envoyé une réponse passive avec une adresse non routable. Adresse remplacée par celle du serveur.
that is "server give a passive answer with a non routable address, replaced by router's one"
but of course (?) this machine is a virtual one
It should not matter whether it is real or virtual.
and /etc/hosts only have local IP, filezilla gives
227 Entering Passive Mode (192,168,56,101,117,135)
of course it can't work.
may be I have to give somewere the public IP? but where?
If your virtual server has a public IP, yes, vsftpd should be listening on that (too). It does that by default, afaik. Maybe you can describe your configuration in a bit more detail. -- Per Jessen, Zürich (8.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 03/11/2013 18:33, Per Jessen a écrit :
If your virtual server has a public IP, yes, vsftpd should be listening on that (too). It does that by default, afaik. Maybe you can describe your configuration in a bit more detail.
not a dedocated one, but for now it's the only ftp server I have a host online and the virtual server (there will be more later) the host is openSUSE 12.3 with virtualbox and host only network. The host SuSEFirewall2 redirects ssh, http and ftp to the guest. The internal (=virtual) network is the default virtualbox one, 192.168.56.x with "nemo" my server being 101 there is (for now) no firewall on the server if filezilla expect on an answer the server's IP and get the local one, may be I can change /etc/hosts, but I have only one public IP for the host and the guest thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 03/11/2013 18:33, Per Jessen a écrit :
If your virtual server has a public IP, yes, vsftpd should be listening on that (too). It does that by default, afaik. Maybe you can describe your configuration in a bit more detail.
things go better, but not completely: In can connect with ftp, but only from the command line ("ftp"), and not with filezilla or dolphin. I had to masquerade the passive ports on the host, add a pasv_adress=IP and the seccomp line. vsftp is very picky about it's config file, looks like even a blanck space at the end of a line or at the end of the file is enough to refuse starting (two visually identical lines, one pass, the other not). now I have this config file: write_enable=YES dirmessage_enable=YES nopriv_user=ftpsecure ls_recurse_enable=YES local_enable=YES local_umask=022 anonymous_enable=NO log_ftp_protocol=YES vsftpd_log_file=/var/log/vsftpd.log connect_from_port_20=YES pam_service_name=vsftpd listen=YES ssl_enable=NO pasv_min_port=30000 pasv_max_port=30100 anon_mkdir_write_enable=NO anon_root=/srv/ftp anon_upload_enable=NO chroot_local_user=NO ftpd_banner=Bienvenue sur le ftp de Nemo. idle_session_timeout=900 log_ftp_protocol=YES max_clients=20 max_per_ip=10 seccomp_sandbox=NO pasv_address=<IP> no problem to browse the server with "ftp" (even the tab completion works), but filezilla says: Commande : LIST Erreur : La connexion des données ne peut pas être établie : ECONNREFUSED - Connection refused by server Erreur : Délai d'attente expiré Erreur : Impossible de récupérer le contenu du dossier and dolphin Impossible d'entrer dans le dossier . (nearly same error: impossible to read the folder) any idea? thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
write_enable=YES dirmessage_enable=YES nopriv_user=ftpsecure ls_recurse_enable=YES local_enable=YES local_umask=022 anonymous_enable=NO log_ftp_protocol=YES vsftpd_log_file=/var/log/vsftpd.log connect_from_port_20=YES pam_service_name=vsftpd listen=YES ssl_enable=NO pasv_min_port=30000 pasv_max_port=30100 anon_mkdir_write_enable=NO anon_root=/srv/ftp anon_upload_enable=NO chroot_local_user=NO ftpd_banner=Bienvenue sur le ftp de Nemo. idle_session_timeout=900 log_ftp_protocol=YES max_clients=20 max_per_ip=10 seccomp_sandbox=NO pasv_address=<IP>
This is my working config write_enable=YES dirmessage_enable=YES nopriv_user=ftpsecure ftpd_banner=Welcome to the FTP service hide_ids=YES local_enable=YES local_umask=022 chroot_local_user=YES anonymous_enable=NO anon_world_readable_only=YES syslog_enable=YES connect_from_port_20=YES ascii_upload_enable=YES pam_service_name=vsftpd listen=NO listen_ipv6=YES ssl_enable=NO pasv_min_port=30000 pasv_max_port=30100 This ftp server has public and private addresses, and the firewall has xt_conntrack, nf_conntrack_ftp, nf_conntrack_ipv4 and nf_conntrack. -- Per Jessen, Zürich (9.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hello... I'm pretty desperate to get a fully working config :-( using mostly the per jensen one, I can log and list folders with "ftp" from terminal, as well locally than from my home, but I can't use filezilla nor dolphin! filezilla says: Réponse : 227 Entering Passive Mode (188,165,211,22,117,75). Commande : LIST Erreur : La connexion des données ne peut pas être établie : ECONNREFUSED - Connection refused by server Erreur : Délai d'attente expiré Erreur : Impossible de récupérer le contenu du dossier I even loaded SuSEfirewall2 (with ftp openned, of course) and loaded the nf_* modules... no log at ll, only the systemd ones thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
to let you test, I created an user test, pass test... there is problem with passive mode. thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
to let you test, I created an user test, pass test...
there is problem with passive mode.
# ftp 188.165.211.22 Connected to 188.165.211.22. 220 Bienvenue sur le ftp de Nemo. Name (188.165.211.22:per): test 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 229 Entering Extended Passive Mode (|||30068|). 200 EPRT command successful. Consider using EPSV. At this point it hangs. In my experience, this is due to a missing *conntrack* module. -- Per Jessen, Zürich (7.4°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 05/11/2013 18:57, Per Jessen a écrit :
At this point it hangs. In my experience, this is due to a missing *conntrack* module.
it's probably a conntrack module error, but a config one. I could load the modules, but with default config http://www.novell.com/documentation/opensuse110/opensuse110_reference/data/s... says: FW_SERVICES_ACCEPT_RELATED_* (firewall) SuSEfirewall2 now implements a subtle change regarding packets that are considered RELATED by netfilter. For example, to allow finer grained filtering of Samba broadcast packets, RELATED packets are no longer accepted unconditionally. The new variables starting with FW_SERVICES_ACCEPT_RELATED_ have been introduced to allow restricting RELATED packets handling to certain networks, protocols and ports. This means adding connection tracking modules (conntrack modules) to FW_LOAD_MODULES does no longer automatically result in accepting the packets tagged by those modules. Additionally, you must set variables starting with FW_SERVICES_ACCEPT_RELATED_ to a suitable value. my SuSEfirewall file include FW_LOAD_MODULES="nf_conntrack_netbios_ns" what should I have jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 05/11/2013 18:57, Per Jessen a écrit :
At this point it hangs. In my experience, this is due to a missing *conntrack* module.
it's probably a conntrack module error, but a config one. I could load the modules, but with default config
The modules themselves need no config.
http://www.novell.com/documentation/opensuse110/opensuse110_reference/data/s...
[snip]
my SuSEfirewall file include
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
what should I have
Sorry, I can't help with that, I don't use the SuSE firewall. Maybe you need to enable something ftp-related? Why don't you stop the firewall, load the conntrack modules and see if it works then? At least then you would know if it's a firewall issue. -- Per Jessen, Zürich (8.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 05/11/2013 21:55, Per Jessen a écrit :
Sorry, I can't help with that, I don't use the SuSE firewall. Maybe you need to enable something ftp-related? Why don't you stop the firewall, load the conntrack modules and see if it works then? At least then you would know if it's a firewall issue.
it is the present situation. jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
weel, it seems all to be a SuSEfirewall2 documentation problem. When a server if behing a gateway, with no public IP, it needs masquerading. ftp needs two ports (ftp and ftp-data), but passive mode needs a lot of upper ports. these ports needs to be masqueraded also. How to achieve this was not clear, as the YaST interface do not accept port range (or I didn't discover the range syntax). so one have to dig into the /etc/sysconfig/SuSEfirewall2 file *of the gateway*. to do this you have to insert a line like this one: notice, after the "=" there is a ", closed at the very end of the config. This is to say that SuSEfirewall2 uses space or carriage return as separator. Like you see them, these instructions are for http (80) and ftp (the three others) FW_FORWARD_MASQ="0/0,192.168.56.101,tcp,80 0/0,192.168.56.101,tcp,21 0/0,192.168.56.101,tcp,20 0/0,192.168.56.101,tcp,30000:30100" of course these ports have also to be openned on the server I was thinking I had done it, but did not use the right variable, only opening the ports, not forwarding them. the most curious is that "ftp" worked, despite the bad config, when filezilla and dolphin didn't. now all seems to work ok. jdd NB: test account is removed -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/6/2013 2:47 AM, jdd wrote:
the most curious is that "ftp" worked, despite the bad config, when filezilla and dolphin didn't.
You don't need passive mode. Any competent ftp client will figure out that its not available and not use it. Having passive is faster, but it still works. For occasional FTP transfer you don't need it. If you are going to be running a warz site or transferring huge amounts of data maybe. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 06/11/2013 19:37, John Andersen a écrit :
On 11/6/2013 2:47 AM, jdd wrote:
the most curious is that "ftp" worked, despite the bad config, when filezilla and dolphin didn't.
You don't need passive mode. Any competent ftp client will figure out that its not available and not use it. Having passive is faster, but it still works. For occasional FTP transfer you don't need it. If you are going to be running a warz site or transferring huge amounts of data maybe.
if I understand well (not sure), active mode needs a config pn my home side (natting of ports 6000-7000 are filezilla defaults), so one needs forward somewhere. I usually do not use ftp (but ssh or fish), but occasionally I have an application that asks for it. Most php applications are built to be used on shared hosting and do only document things for that. I experienced from time to time permission problems with local work (difference from ftp) thanks jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 05/11/2013 12:55, jdd a écrit :
I even loaded SuSEfirewall2 (with ftp openned, of course) and loaded the nf_* modules...
well... I tryed to configure SuSEFirewall2 on the server. Yast complain that there is an other firewall yet in use. are these nf_* modules this firewall?? they are so related that I can't find a way to stop them ! and I launched them by hand, I somwhat suppose that they do not acknowledge the passive ports (30000-30100), that could explain the fact that passive mode do not work. what do you think? I could reboot the server, but I do not like such operation :-) I also have no some ipv6 modules loaded when I have no ipv6 config active (and ipv6 is desabled on yast) thanks for your help jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
jdd -
John Andersen -
Per Jessen -
Ruediger Meier