Hello, I have setup "vsftpd" and it works fine with the firewall off. The problem is, that there is no option, in the service, in the firewall-yast, for FTP? What am i missing? -- thanks, Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15-default
On 12/6/05, wavesurf@planet.nl <wavesurf@planet.nl> wrote:
Hello,
I have setup "vsftpd" and it works fine with the firewall off. The problem is, that there is no option, in the service, in the firewall-yast, for FTP? What am i missing? -- thanks, Gerrit Jan Eldering
KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15-default
In susefirewall-yast, click allowed services then advanced and add then add 21 to the tcp list of ports. John
Op woensdag 7 december 2005 04:03, schreef John Scott:
On 12/6/05, wavesurf@planet.nl <wavesurf@planet.nl> wrote:
Hello,
I have setup "vsftpd" and it works fine with the firewall off. The problem is, that there is no option, in the service, in the firewall-yast, for FTP? What am i missing? -- thanks, Gerrit Jan Eldering
KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15-default
In susefirewall-yast, click allowed services then advanced and add then add 21 to the tcp list of ports.
John
I did so, but that won't work, it's very strange... -- -- Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
On Wed, 2005-12-07 at 06:36 +0100, wavesurf@planet.nl wrote:
Op woensdag 7 december 2005 04:03, schreef John Scott:
On 12/6/05, wavesurf@planet.nl <wavesurf@planet.nl> wrote:
Hello,
I have setup "vsftpd" and it works fine with the firewall off. The problem is, that there is no option, in the service, in the firewall-yast, for FTP? What am i missing? -- thanks, Gerrit Jan Eldering
KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15-default
In susefirewall-yast, click allowed services then advanced and add then add 21 to the tcp list of ports.
John
I did so, but that won't work, it's very strange... --
--
Gerrit Jan Eldering
KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
Hi Gerrit, I had a similar issue before, Firstly if you have one network interface, you must set the interface as an external, then you must disable protect from internal, because it will override the external settings, external being the same interface as internal in my case. enable ports 20 and 21 remember to type the port numbers in space separated and no commas. (just a space.) Enable the firewall then from a local shell run #netstat --tulpen post the output which shows what services are running and which ports. Then port scan your box to see if the port is available. #nmap <your-ip> which will show which ports are available. post the output as well, does your /etc/xinetd.d/vsftpd file look like this? service ftp { # server_args = # log_on_success += DURATION USERID # log_on_failure += USERID # nice = 10 disable = yes socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/vsftpd } and this is a copy of my vsftp.conf file which is just for anonymous connections. chadlap:~ # grep -v ^# /etc/vsftpd.conf dirmessage_enable=YES anonymous_enable=YES anon_world_readable_only=YES syslog_enable=YES connect_from_port_20=YES pam_service_name=vsftpd keep posting... :') Cheers Chadley
Op woensdag 7 december 2005 07:25, schreef Chadley Wilson:
On Wed, 2005-12-07 at 06:36 +0100, wavesurf@planet.nl wrote:
Op woensdag 7 december 2005 04:03, schreef John Scott:
On 12/6/05, wavesurf@planet.nl <wavesurf@planet.nl> wrote:
Hello,
I have setup "vsftpd" and it works fine with the firewall off. The problem is, that there is no option, in the service, in the firewall-yast, for FTP? What am i missing? -- thanks, Gerrit Jan Eldering
KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15-default
In susefirewall-yast, click allowed services then advanced and add then add 21 to the tcp list of ports.
John
I did so, but that won't work, it's very strange... --
--
Gerrit Jan Eldering
KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
Hi Gerrit,
I had a similar issue before, Firstly if you have one network interface, you must set the interface as an external, then you must disable protect from internal, because it will override the external settings, external being the same interface as internal in my case. enable ports 20 and 21 remember to type the port numbers in space separated and no commas. (just a space.)
Enable the firewall then from a local shell run #netstat --tulpen
post the output which shows what services are running and which ports.
Then port scan your box to see if the port is available.
#nmap <your-ip>
which will show which ports are available. post the output as well,
does your /etc/xinetd.d/vsftpd file look like this?
service ftp { # server_args = # log_on_success += DURATION USERID # log_on_failure += USERID # nice = 10 disable = yes socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/vsftpd }
and this is a copy of my vsftp.conf file which is just for anonymous connections.
chadlap:~ # grep -v ^# /etc/vsftpd.conf
dirmessage_enable=YES anonymous_enable=YES anon_world_readable_only=YES syslog_enable=YES connect_from_port_20=YES pam_service_name=vsftpd
keep posting... :')
Cheers Chadley
Chadley, Still working on it. I have 2 cards, one internal and one external. The 2 files are the same now, was missing "disable = yes". It still won't work, i think the problem is port 20.... PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 10082/tcp filtered amandaidx 10083/tcp filtered amidxtape #netstat --tulpen this one won't work? Maby you will look here to see what the problem is; Dec 7 13:17:58 linux vsftpd: Wed Dec 7 13:17:58 2005 [pid 9783] CONNECT: Client "123.123.123.123" Dec 7 13:17:58 linux vsftpd: Wed Dec 7 13:17:58 2005 [pid 9783] FTP response: Client "123.123.123.123", "220 (vsFTPd 2.0.3)" Dec 7 13:17:58 linux vsftpd: Wed Dec 7 13:17:58 2005 [pid 9783] FTP command: Client "123.123.123.123", "USER gerritjanftp" Dec 7 13:17:58 linux vsftpd: Wed Dec 7 13:17:58 2005 [pid 9783] [gerritjanftp] FTP response: Client "123.123.123.123", "331 Please specify the password." Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9783] [gerritjanftp] FTP command: Client "123.123.123.123", "PASS <password>" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9782] [gerritjanftp] OK LOGIN: Client "123.123.123.123" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "230 Login successful." Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "SYST" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "215 UNIX Type: L8" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "PWD" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "257 "/"" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "TYPE I" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "200 Switching to Binary mode." Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "PASV" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "227 Entering Passive Mode (192,168,1,102,54,64)" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "SIZE /" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "550 Could not get file size." Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "MDTM /" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "550 Could not get file modification time." Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "RETR /" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "550 Failed to open file." Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FAIL DOWNLOAD: Client "123.123.123.123", "/", 0.00Kbyte/sec Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "PASV" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "227 Entering Passive Mode (192,168,1,102,45,99)" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "CWD /" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "250 Directory successfully changed." Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP command: Client "123.123.123.123", "LIST" Dec 7 13:19:00 linux vsftpd: Wed Dec 7 13:19:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "425 Failed to establish connection." -- thanks, Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
On Wed, 2005-12-07 at 13:29 +0100, wavesurf@planet.nl wrote:
Chadley,
Still working on it. I have 2 cards, one internal and one external. The 2 files are the same now, was missing "disable = yes". great.,, :')
It still won't work, i think the problem is port 20....
PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 10082/tcp filtered amandaidx 10083/tcp filtered amidxtape
#netstat --tulpen this one won't work?
Its probably not installed, use yast. It is on the cds.
Maby you will look here to see what the problem is;
<snipped> Looks like your firewall is fine from this, and that your config file is fine to, as it allowed you to login. Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9782] [gerritjanftp] OK LOGIN: Client "123.123.123.123" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "230 Login successful." I believe the problem is the ownership and access rights of your directory. I would start by making sure gerritjanftp is a member of the correct group, which on my system is "ftp". And you must also make sure your server is not running as user root but rather as user "ftp" (my case). Then change the group ownership of all files on your server to ftp and give the read and execute permissions. #chgrp ftp /path/to/files #chmod -R 750 /path/to/files The -R will be recursive and modify the whole directory and it contents. There are many different ways to run vsftp, but I would like to suggest that you enable the option to chroot users, as there will be problems when they leave there home directories, I take it you are running an authenticated server.. Chadley
Op donderdag 8 december 2005 07:32, schreef Chadley Wilson:
On Wed, 2005-12-07 at 13:29 +0100, wavesurf@planet.nl wrote:
Chadley,
Still working on it. I have 2 cards, one internal and one external. The 2 files are the same now, was missing "disable = yes".
great.,, :')
It still won't work, i think the problem is port 20....
PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 10082/tcp filtered amandaidx 10083/tcp filtered amidxtape
#netstat --tulpen this one won't work?
Its probably not installed, use yast. It is on the cds.
Maby you will look here to see what the problem is;
<snipped>
Looks like your firewall is fine from this, and that your config file is fine to, as it allowed you to login.
Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9782] [gerritjanftp] OK LOGIN: Client "123.123.123.123" Dec 7 13:18:00 linux vsftpd: Wed Dec 7 13:18:00 2005 [pid 9784] [gerritjanftp] FTP response: Client "123.123.123.123", "230 Login successful."
I believe the problem is the ownership and access rights of your directory. I would start by making sure gerritjanftp is a member of the correct group, which on my system is "ftp".
And you must also make sure your server is not running as user root but rather as user "ftp" (my case). Then change the group ownership of all files on your server to ftp and give the read and execute permissions. #chgrp ftp /path/to/files #chmod -R 750 /path/to/files
The -R will be recursive and modify the whole directory and it contents.
There are many different ways to run vsftp, but I would like to suggest that you enable the option to chroot users, as there will be problems when they leave there home directories, I take it you are running an authenticated server..
Chadley
Chadley, I have try all you say, but with no success. The problem still is the susefirewall, with the susefirewall on it won't work, with the firewall off no problems. I have tried an other ftp server also.... Here a firewalllog; Dec 8 13:43:57 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.1.102 DST=192.168.1.255 LEN=251 TOS=0x00 PREC=0x00 TTL=64 ID=23 DF PROTO=UDP SPT=138 DPT=138 LEN=231 Dec 8 13:43:57 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.1.102 DST=192.168.1.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=24 DF PROTO=UDP SPT=138 DPT=138 LEN=214 Dec 8 13:44:46 linux kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:0c:6e:8c:2b:ae:00:04:ed:10:08:a5:08:00 SRC=123.123.123.123. DST=192.168.1.102 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3280 DF PROTO=TCP SPT=10175 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055001010402) Dec 8 13:44:48 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0c:6e:8c:2b:ae:00:04:ed:10:08:a5:08:00 SRC=123.123.123.123. DST=192.168.1.102 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3323 DF PROTO=TCP SPT=10177 DPT=23869 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055001010402) Dec 8 13:44:48 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0c:6e:8c:2b:ae:00:04:ed:10:08:a5:08:00 SRC=123.123.123.123. DST=192.168.1.102 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3354 DF PROTO=TCP SPT=10179 DPT=65501 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055001010402) Dec 8 13:44:51 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0c:6e:8c:2b:ae:00:04:ed:10:08:a5:08:00 SRC=123.123.123.123. DST=192.168.1.102 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3360 DF PROTO=TCP SPT=10179 DPT=65501 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055001010402) Dec 8 13:44:57 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:0c:6e:8c:2b:ae:00:04:ed:10:08:a5:08:00 SRC=123.123.123.123. DST=192.168.1.102 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3361 DF PROTO=TCP SPT=10179 DPT=65501 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055001010402) -- Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
On Thu, 2005-12-08 at 13:48 +0100, wavesurf@planet.nl wrote:
Dec 8 13:44:46 linux kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:0c:6e:8c:2b:ae:00:04:ed:10:08:a5:08:00 SRC=123.123.123.123. DST=192.168.1.102 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3280 DF PROTO=TCP SPT=10175 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055001010402)
Look here, I am now also a bit confused, it clearly logged that port 21 is in the SFW2-INext-ACC-TCP filter. The fact that it prompts you for a logging suggests that the firewall is happy and that the port opened (21) is available. Why when you disable the firewall it works would suggest that you are missing a rule for related and established packets. Do an iptables-save > filename and the cat filename to see if the is a related and established rule for the SFW2-INext-ACC-TCP filter. If not you will need to edit the firewall with the sysconfig edit tool provided in yast. Look for the relevant option and see whether that helps. Otherwise : run this command (below) manually and see if it works, this should just prove it is the firewall, other wise please mail me off list with your iptables-save file. Let me check it for and see if I can spot the mistake. iptables -A SFW2-INext-ACC-TCP -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT Chadley
Op donderdag 8 december 2005 14:47, schreef Chadley Wilson:
On Thu, 2005-12-08 at 13:48 +0100, wavesurf@planet.nl wrote:
Dec 8 13:44:46 linux kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:0c:6e:8c:2b:ae:00:04:ed:10:08:a5:08:00 SRC=123.123.123.123. DST=192.168.1.102 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3280 DF PROTO=TCP SPT=10175 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055001010402)
Look here, I am now also a bit confused, it clearly logged that port 21 is in the SFW2-INext-ACC-TCP filter. The fact that it prompts you for a logging suggests that the firewall is happy and that the port opened (21) is available.
Why when you disable the firewall it works would suggest that you are missing a rule for related and established packets.
Do an iptables-save > filename and the cat filename to see if the is a related and established rule for the SFW2-INext-ACC-TCP filter.
If not you will need to edit the firewall with the sysconfig edit tool provided in yast.
Look for the relevant option and see whether that helps.
Otherwise : run this command (below) manually and see if it works, this should just prove it is the firewall, other wise please mail me off list with your iptables-save file. Let me check it for and see if I can spot the mistake.
iptables -A SFW2-INext-ACC-TCP -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Chadley
Chadley, This is difficult stuff for me :) here the files and the thinks i did. linux:~ # iptables -A SFW2-INext-ACC-TCP -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables: No chain/target/match by that name linux:~ # -- Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
On Thu, 2005-12-08 at 15:41 +0100, wavesurf@planet.nl wrote:
Op donderdag 8 december 2005 14:47, schreef Chadley Wilson:
On Thu, 2005-12-08 at 13:48 +0100, wavesurf@planet.nl wrote:
Dec 8 13:44:46 linux kernel: SFW2-INext-ACC-TCP IN=eth0 OUT= MAC=00:0c:6e:8c:2b:ae:00:04:ed:10:08:a5:08:00 SRC=123.123.123.123. DST=192.168.1.102 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=3280 DF PROTO=TCP SPT=10175 DPT=21 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204055001010402)
Look here, I am now also a bit confused, it clearly logged that port 21 is in the SFW2-INext-ACC-TCP filter. The fact that it prompts you for a logging suggests that the firewall is happy and that the port opened (21) is available.
Why when you disable the firewall it works would suggest that you are missing a rule for related and established packets.
Do an iptables-save > filename and the cat filename to see if the is a related and established rule for the SFW2-INext-ACC-TCP filter.
If not you will need to edit the firewall with the sysconfig edit tool provided in yast.
Look for the relevant option and see whether that helps.
Otherwise : run this command (below) manually and see if it works, this should just prove it is the firewall, other wise please mail me off list with your iptables-save file. Let me check it for and see if I can spot the mistake.
iptables -A SFW2-INext-ACC-TCP -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
Chadley
Chadley,
This is difficult stuff for me :)
here the files and the thinks i did.
linux:~ # iptables -A SFW2-INext-ACC-TCP -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT iptables: No chain/target/match by that name linux:~ #
I added this to the firewall and now it works try for me. edit /etc/sysconfig/SuSEfirewall2 FW_SERVICES_ACCEPT_EXT="0/0,tcp,21 0/0,tcp,22" FW_TRUSTED_NETS="172.100.0.0/16" obviously replace with your network range.. Chadley
Op donderdag 8 december 2005 16:35, schreef Chadley Wilson:
I added this to the firewall and now it works try for me.
edit /etc/sysconfig/SuSEfirewall2
FW_SERVICES_ACCEPT_EXT="0/0,tcp,21 0/0,tcp,22" FW_TRUSTED_NETS="172.100.0.0/16"
obviously replace with your network range..
Chadley
No, did not do it..... -- Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
On Thu, 2005-12-08 at 16:53 +0100, wavesurf@planet.nl wrote:
Op donderdag 8 december 2005 16:35, schreef Chadley Wilson:
I added this to the firewall and now it works try for me.
edit /etc/sysconfig/SuSEfirewall2
FW_SERVICES_ACCEPT_EXT="0/0,tcp,21 0/0,tcp,22" FW_TRUSTED_NETS="172.100.0.0/16"
obviously replace with your network range..
Chadley
No, did not do it.....
Try loading the attached firewall generated by iptables-save. iptables-restore chadleyiptable If it works we can compare and find the difference, because this one works here... mmm I sense voodoo.. :') Chadley
On Thu, 2005-12-08 at 18:03 +0200, Chadley Wilson wrote:
On Thu, 2005-12-08 at 16:53 +0100, wavesurf@planet.nl wrote:
Op donderdag 8 december 2005 16:35, schreef Chadley Wilson:
I added this to the firewall and now it works try for me.
edit /etc/sysconfig/SuSEfirewall2
FW_SERVICES_ACCEPT_EXT="0/0,tcp,21 0/0,tcp,22" FW_TRUSTED_NETS="172.100.0.0/16"
obviously replace with your network range..
Chadley
No, did not do it.....
Try loading the attached firewall generated by iptables-save.
iptables-restore chadleyiptable
If it works we can compare and find the difference, because this one works here...
mmm I sense voodoo..
:')
Chadley
OOPS! just change the line refering to my network... {-A input_ext -s 172.100.0.0/255.255.0.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-ACC-TRUST " --log-tcp-options --log-ip-options -A input_ext -s 172.100.0.0/255.255.0.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT }
Op donderdag 8 december 2005 17:06, schreef Chadley Wilson:
On Thu, 2005-12-08 at 18:03 +0200, Chadley Wilson wrote:
On Thu, 2005-12-08 at 16:53 +0100, wavesurf@planet.nl wrote:
Op donderdag 8 december 2005 16:35, schreef Chadley Wilson:
I added this to the firewall and now it works try for me.
edit /etc/sysconfig/SuSEfirewall2
FW_SERVICES_ACCEPT_EXT="0/0,tcp,21 0/0,tcp,22" FW_TRUSTED_NETS="172.100.0.0/16"
obviously replace with your network range..
Chadley
No, did not do it.....
Try loading the attached firewall generated by iptables-save.
iptables-restore chadleyiptable
If it works we can compare and find the difference, because this one works here...
mmm I sense voodoo..
:')
Chadley
OOPS! just change the line refering to my network...
{-A input_ext -s 172.100.0.0/255.255.0.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-ACC-TRUST " --log-tcp-options --log-ip-options -A input_ext -s 172.100.0.0/255.255.0.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT } Chadley,
It looks like voodoo, nothing i try will work....grrrrrrrrrr I think i will continue working with SSH, there no problems with that. At the time i do a fresh install off SuSELinux 10.1??, i will try again. All thanks for the support :) -- thanks, Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
On Thu, 2005-12-08 at 18:28 +0100, wavesurf@planet.nl wrote:
Op donderdag 8 december 2005 17:06, schreef Chadley Wilson:
On Thu, 2005-12-08 at 18:03 +0200, Chadley Wilson wrote:
On Thu, 2005-12-08 at 16:53 +0100, wavesurf@planet.nl wrote:
Op donderdag 8 december 2005 16:35, schreef Chadley Wilson:
I added this to the firewall and now it works try for me.
edit /etc/sysconfig/SuSEfirewall2
FW_SERVICES_ACCEPT_EXT="0/0,tcp,21 0/0,tcp,22" FW_TRUSTED_NETS="172.100.0.0/16"
obviously replace with your network range..
Chadley
No, did not do it.....
Try loading the attached firewall generated by iptables-save.
iptables-restore chadleyiptable
If it works we can compare and find the difference, because this one works here...
mmm I sense voodoo..
:')
Chadley
OOPS! just change the line refering to my network...
{-A input_ext -s 172.100.0.0/255.255.0.0 -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-ACC-TRUST " --log-tcp-options --log-ip-options -A input_ext -s 172.100.0.0/255.255.0.0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT } Chadley,
It looks like voodoo, nothing i try will work....grrrrrrrrrr I think i will continue working with SSH, there no problems with that. At the time i do a fresh install off SuSELinux 10.1??, i will try again.
All thanks for the support :)
It a pleasure, I hope you get it right, keep trying you will find it is something small and stupid at the end of the day... I can't say to much about 10.1 but I am still on 10.0 maybe there's a small issue with ftp 10.1, maybe someone on the list running 10.1 can clear this up for us.. Chadley
On Thursday 08 December 2005 19:28, wavesurf@planet.nl wrote:
It looks like voodoo, nothing i try will work....grrrrrrrrrr I think i will continue working with SSH, there no problems with that. At the time i do a fresh install off SuSELinux 10.1??, i will try again. Don't use 10.1 unless you know what are you doing. It's still in alpha stage and there can be a lot of bugs.
All thanks for the support :) You're welcome!
Cheers, -- Damian Mihai Liviu Mobile: +40 741 226993; Fax: +1 347-632-4117 Phone : +1 360-526-6441; +1 347-632-4117; +44 0870-3403339 URL: http://liviudm.blogspot.com
Op donderdag 8 december 2005 20:04, schreef Damian Mihai Liviu:
On Thursday 08 December 2005 19:28, wavesurf@planet.nl wrote:
It looks like voodoo, nothing i try will work....grrrrrrrrrr I think i will continue working with SSH, there no problems with that. At the time i do a fresh install off SuSELinux 10.1??, i will try again.
Don't use 10.1 unless you know what are you doing. It's still in alpha stage and there can be a lot of bugs.
All thanks for the support :)
You're welcome!
Cheers,
No i won't... :) I wait till may or April, when the next will be there. -- Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
On Thursday 08 December 2005 14:48, wavesurf@planet.nl wrote:
I have try all you say, but with no success. The problem still is the susefirewall, with the susefirewall on it won't work, with the firewall off no problems. I have tried an other ftp server also....
Here a firewalllog; Can you post the output of # iptables -L | grep ftp please?
Cheers, -- Damian Mihai Liviu Mobile: +40 741 226993; Fax: +1 347-632-4117 Phone : +1 360-526-6441; +1 347-632-4117; +44 0870-3403339 URL: http://liviudm.blogspot.com
Op donderdag 8 december 2005 15:30, schreef Damian Mihai Liviu:
iptables -L | grep ftp
linux:~ # iptables -L | grep ftp LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options i p-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-opt ions prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:ftp-data linux:~ # - Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
wavesurf@planet.nl wrote:
Maby you will look here to see what the problem is;
[gerritjanftp] FTP response: Client "123.123.123.123", "227 Entering Passive Isn't that the key? You are using passive mode. I must be missing something here. I have been using vsftpd for a few years with SuSE and never had this much trouble. I too have two NICs and am using SuSEfirewall2 to make the computer a NAT router for my home net and even in a lab at work. Like you I am using vsftpd. I am certainly no ftp expert but I believe that passive mode uses other high ports and I think I remember they are randomly selected. For that reason I use ftp only in active mode in order to avoid that issue with the firewall. You are getting connected so the firewall is letting you use the port 21. I have no idea how to get the firewall to deal with the other high ports used for passive so that is why I stayed with the active mode. With some clients that I use, I have to set the option for active mode only.
As a side point, I haven't seen anyone mention tampering with /etc/sysconfig/SuSEfirewall2. That's where I always go to tamper with things not covered by YaST Damon Register
On Thu, 2005-12-08 at 10:40 -0500, Damon Register wrote:
wavesurf@planet.nl wrote:
Maby you will look here to see what the problem is;
[gerritjanftp] FTP response: Client "123.123.123.123", "227 Entering Passive Isn't that the key? You are using passive mode. I must be missing something here. I have been using vsftpd for a few years with SuSE and never had this much trouble. I too have two NICs and am using SuSEfirewall2 to make the computer a NAT router for my home net and even in a lab at work. Like you I am using vsftpd. I am certainly no ftp expert but I believe that passive mode uses other high ports and I think I remember they are randomly selected. For that reason I use ftp only in active mode in order to avoid that issue with the firewall. You are getting connected so the firewall is letting you use the port 21. I have no idea how to get the firewall to deal with the other high ports used for passive so that is why I stayed with the active mode. With some clients that I use, I have to set the option for active mode only.
As a side point, I haven't seen anyone mention tampering with /etc/sysconfig/SuSEfirewall2. That's where I always go to tamper with things not covered by YaST
Damon Register
The high port option that I used in Suse 7 8 has or will soon be depreciated in SuSEFirewall2. It is still available in the file /etc/sysconfig/SuSEFirewall2 but it didn't seem to make much difference here. BUt you can try it, FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" Thats why I did not mention it earlier, but what I posted earlier should work, also If you can turn off masquerade networks, Chadley
Chadley Wilson wrote:
The high port option that I used in Suse 7 8 has or will soon be depreciated in SuSEFirewall2. Doesn't that usually mean that there is something else that is newer and better? If so, what is the new way?
It is still available in the file /etc/sysconfig/SuSEFirewall2 but it didn't seem to make much difference here. BUt you can try it,
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" I forgot about that but I do remember that I never got ftp to work in any other than active mode.
Thats why I did not mention it earlier, but what I posted earlier should work, also If you can turn off masquerade networks, I don't know about Gerrit's requirements but NAT routing is what I do at home and work. Not an option in either place. Gerrit, is using ftp in active mode not an option for you? I guess if you ever figure this out, then I will be able to do what I never could before (passive ftp).
Damon Register
On Thu, 2005-12-08 at 14:23 -0500, Damon Register wrote:
Chadley Wilson wrote:
The high port option that I used in Suse 7 8 has or will soon be depreciated in SuSEFirewall2. Doesn't that usually mean that there is something else that is newer and better? If so, what is the new way?
Well I googled around and found the answer but it didn't say what the better way was !?
It is still available in the file /etc/sysconfig/SuSEFirewall2 but it didn't seem to make much difference here. BUt you can try it,
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" I forgot about that but I do remember that I never got ftp to work in any other than active mode.
Thats why I did not mention it earlier, but what I posted earlier should work, also If you can turn off masquerade networks, I don't know about Gerrit's requirements but NAT routing is what I do at home and work. Not an option in either place. Gerrit, is using ftp in active mode not an option for you? I guess if you ever figure this out, then I will be able to do what I never could before (passive ftp).
I am not sure I understand your point, so let ask this, what is the difference between active and passive ftp ?
Damon Register
Chadley
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2005-12-09 at 07:52 +0200, Chadley Wilson wrote:
I am not sure I understand your point, so let ask this, what is the difference between active and passive ftp ?
Active ftp needs port 20/tcp (ftp-data) open in the _client_. The server, after getting the connection in his port 21, opens an outgoing connection to the client in port 20. There are thus two connections, one for control, another for data sent. Passive does not need that port open in the client. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDmYWhtTMYHG2NR9URAvNvAJ9fb4VltZCxYxW8HZVZZUAU3JVWsgCfZUqV LTX9xY6nd1Lla9F6sbQqpTU= =PrT6 -----END PGP SIGNATURE-----
Op vrijdag 9 december 2005 14:24, schreef Carlos E. R.:
The Friday 2005-12-09 at 07:52 +0200, Chadley Wilson wrote:
I am not sure I understand your point, so let ask this, what is the difference between active and passive ftp ?
Active ftp needs port 20/tcp (ftp-data) open in the _client_. The server, after getting the connection in his port 21, opens an outgoing connection to the client in port 20. There are thus two connections, one for control, another for data sent.
Passive does not need that port open in the client.
-- Cheers, Carlos Robinson
In the firewall port 20 21 tcp are open and 20 udp to.... The strange thing is it won't show here; linux:~ # nmap 00.00.00.00 Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-09 16:42 CET Host ip5450f417.speed.planet.nl (00.00.00.00) seems to be a subnet broadcast address (returned 1 extra pings). Still scanning it due to ping response from its own IP. Interesting ports on ip5450f417.speed.planet.nl (00.00.00.00): (The 1659 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 10082/tcp filtered amandaidx 10083/tcp filtered amidxtape Nmap finished: 1 IP address (1 host up) scanned in 5.385 seconds -- Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2005-12-09 at 17:11 +0100, wavesurf@planet.nl wrote:
In the firewall port 20 21 tcp are open and 20 udp to.... The strange thing is it won't show here;
Opening port 20 in the server is useless, as it is not used by the ftp server. Remember that I said that por 20 is opened for input in the _client_. Outgoing ports do not need opening in firewalls.
linux:~ # nmap 00.00.00.00
Remember you need to use nmap from a machine outside of the firewall.
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-09 16:42 CET Host ip5450f417.speed.planet.nl (00.00.00.00) seems to be a subnet broadcast address (returned 1 extra pings). Still scanning it due to ping response from its own IP.
¿Could be the router? - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDmhYQtTMYHG2NR9URAg19AKCFr7I2KjC3yMgJ5LeGC6fSLePXlwCffKHA G6JO1DBcRdV0a54W2tIx/6M= =n+X6 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2005-12-10 at 08:49 +0100, wavesurf@planet.nl wrote:
¿Could be the router?
No because with the susefirewall off it's working.
I meant the double ping. ... By the way, I just read that "pasive" ftp is dificult to setup in the server firewall, because it needs to open an arbitrary high port on request from the client. This port is unknown before hand, it is different for each new client, and it has to be opened on the fly. The firewall has to keep track of the ftp connection and open the needed port when it is needed. I have no idea how this is handled by SuSEfirewall nowdays, the doc I read is old. On the other hand, "Active" is easier on the server side, but more dificult on the client. You might try active. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDmtAGtTMYHG2NR9URApuTAJ4sa9qaJgNk378/mxyavO5KGVvPKwCeOKnu qOjA7mNysb6orKAAcNr5tuo= =AZ2o -----END PGP SIGNATURE-----
The Saturday 2005-12-10 at 08:49 +0100, wavesurf@planet.nl wrote:
¿Could be the router?
No because with the susefirewall off it's working.
I meant the double ping.
...
By the way, I just read that "pasive" ftp is dificult to setup in the server firewall, because it needs to open an arbitrary high port on request from the client. This port is unknown before hand, it is different for each new client, and it has to be opened on the fly. The firewall has to keep track of the ftp connection and open the needed port when it is needed.
I have no idea how this is handled by SuSEfirewall nowdays, the doc I read is old.
On the other hand, "Active" is easier on the server side, but more dificult on the client. You might try active.
I have bin reading the pdf off the firewall to, heavy stuff ....and old. I keep it active, and put out the susefirwall when needed, there is always the firewall in my router/modem. I have try so many things that vsftpd won't work anymore, but i have pure-ftpd working (only with susefirewall off) Take a break now in this problem... -- Thanks, Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
Carlos E. R. wrote:
The Saturday 2005-12-10 at 08:49 +0100, wavesurf@planet.nl wrote:
¿Could be the router? No because with the susefirewall off it's working.
I meant the double ping.
...
By the way, I just read that "pasive" ftp is dificult to setup in the server firewall, because it needs to open an arbitrary high port on request from the client. This port is unknown before hand, it is different for each new client, and it has to be opened on the fly. The firewall has to keep track of the ftp connection and open the needed port when it is needed.
I have no idea how this is handled by SuSEfirewall nowdays, the doc I read is old.
On the other hand, "Active" is easier on the server side, but more dificult on the client. You might try active.
Active ftp doesn't work well with address translation or firewalls.
On Fri, 2005-12-09 at 14:24 +0100, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2005-12-09 at 07:52 +0200, Chadley Wilson wrote:
I am not sure I understand your point, so let ask this, what is the difference between active and passive ftp ?
Active ftp needs port 20/tcp (ftp-data) open in the _client_. The server, after getting the connection in his port 21, opens an outgoing connection to the client in port 20. There are thus two connections, one for control, another for data sent.
Passive does not need that port open in the client. A straight forward answer, thats what I like. Thank you very much
Chadley
On Fri, 9 Dec 2005 14:24 +0100 (CET) Carlos E. R. wrote:
The Friday 2005-12-09 at 07:52 +0200, Chadley Wilson wrote:
I am not sure I understand your point, so let ask this, what is the difference between active and passive ftp ?
Active ftp needs port 20/tcp (ftp-data) open in the _client_. The server, after getting the connection in his port 21, opens an outgoing connection to the client in port 20. There are thus two connections, one for control, another for data sent.
Passive does not need that port open in the client.
Looks like it's related to the issue I'm dealing with. Simply using gFTP as an ftp client. Works well with all ftp servers except for one that needs passive mode disabled. (In gFTP: FTP > Options > tab FTP > uncheck 'Passive file transfers') This only works if the firewall is stopped, although the above suggests that opening port 20 would be sufficient.
From the help text that pops up in gFTP:
Passive file transfers: if this is enabled, then the remote FTP server will open up a port for the data connection. If you are behind a firewall, you will need to enable this. Generally, it is a good idea to keep this enabled unless you are connecting to an older FTP server that doesn't support this. If this is disabled, then gFTP will open up a port on the client side and the remote server will attempt to connect to it.
From the gFTP log, after logging in:
SYST 215 Windows_NT version 5.0 TYPE I 200 Type set to I. PWD 257 "/" is current directory. Loading directory listing / from server (LC_TIME=en_GB.UTF-8) PORT 192,168,2,2,4,7 200 PORT command successful. LIST -aL 150 Opening BINARY mode data connection for /bin/ls. A status line says "Receiving file names...." and here it keeps hanging forever, apparently something is waiting before a closed port. S.H.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Friday 2005-12-09 at 20:21 +0100, Sjoerd Hiemstra wrote:
server, after getting the connection in his port 21, opens an outgoing connection to the client in port 20. There are thus two connections, one for control, another for data sent.
Passive does not need that port open in the client.
Looks like it's related to the issue I'm dealing with. Simply using gFTP as an ftp client. Works well with all ftp servers except for one that needs passive mode disabled. (In gFTP: FTP > Options > tab FTP > uncheck 'Passive file transfers') This only works if the firewall is stopped, although the above suggests that opening port 20 would be sufficient.
In older versions of SuSE we used this in "/etc/sysconfig/SuSEfirewall2": FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" But since I don't know exactly when (but some at some point in time since we use kernel 2.6.x) the conntrack module should take care of that transparently. In SuSE 9.3 it is not needed, that I know.
From the gFTP log, after logging in:
I don't know the exact point at which the data port connection is needed; but if you open that port if it works, then that was it. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDmhQLtTMYHG2NR9URAo8sAJ43Znywy4bMbiXCx+Z9FPjYoeglbgCfe5ju bb2izoR1Y/81qasuRcrS4Hg= =iuGH -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2005-12-08 at 17:47 +0200, Chadley Wilson wrote:
It is still available in the file /etc/sysconfig/SuSEFirewall2 but it didn't seem to make much difference here. BUt you can try it,
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
That option only needed to be used on the client side, not the server. And currently, it is not needed. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDmK0UtTMYHG2NR9URAnrzAJwKGGcBBfdjwpB6Cwrezi3r2vM8mwCfYIpB 2YCOVAAugSPTE3ZZjHy/qkY= =U7uR -----END PGP SIGNATURE-----
In susefirewall-yast, click allowed services then advanced and add then add 21 to the tcp list of ports. Not only 21/tcp. If you look in /etc/services you'll find that FTP uses 3
On Wednesday 07 December 2005 05:03, John Scott wrote: ports: liviudm@liviudm:~> cat /etc/services | grep ftp | head -3 ftp-data 20/tcp # File Transfer [Default Data] ftp-data 20/udp # File Transfer [Default Data] ftp 21/tcp # File Transfer [Control] The comments are self explanatory. Cheers, -- Damian Mihai Liviu Mobile: +40 741 226993; Fax: +1 347-632-4117 Phone : +1 360-526-6441; +1 347-632-4117; +44 0870-3403339 URL: http://liviudm.blogspot.com
Op woensdag 7 december 2005 14:41, schreef Damian Mihai Liviu:
On Wednesday 07 December 2005 05:03, John Scott wrote:
In susefirewall-yast, click allowed services then advanced and add then add 21 to the tcp list of ports.
Not only 21/tcp. If you look in /etc/services you'll find that FTP uses 3 ports: liviudm@liviudm:~> cat /etc/services | grep ftp | head -3 ftp-data 20/tcp # File Transfer [Default Data] ftp-data 20/udp # File Transfer [Default Data] ftp 21/tcp # File Transfer [Control] The comments are self explanatory.
Cheers,
did not do it??? Open services, poorten en protocollen SSH TCP-poorten: 20, 21 UDP-poorten: 20 -- Gerrit Jan Eldering KDE-versie: 3.5.0 Level "a" Systeem: SuSELinux 10.0 Kernel: 2.6.13-15.7-default
participants (9)
-
Carlos E. R. -
Carlos E. R. -
Chadley Wilson -
Damian Mihai Liviu -
Damon Register -
James Knott -
John Scott -
Sjoerd Hiemstra -
wavesurf@planet.nl