Hello, I have been using SuSE since 7.2 and I never face a probleme like this. I would like to apologize in advance if my question is stupid...and I have googled a bit before asking ! I have configured a simple ftp server using vsftpd, opened the port 21 (both tcp and udp) in Susefirewall and ... I can connect but not obtain the directory list, unless i disable the firewall. What is odd is that using the same configuration on a computer running SuSE 9.2, the ftp server works fine. If i connect to the computer using sftp (through ssh2), it is working. The problem seems to start after the connection to the server when it entered into the passive mode. This hapens with 2 different computer running opensuse (1 x86_64 and 1 i386). I don't understand the changes between SuSe 9.2 and opensuse in Susefirewall which impair the ftp transfer. Any help is appreciated Thank you. -- ___________________________________________________ Matthias Titeux, PhD Departement de génétique des maladies epithéliums INSERM U563 - CPTP Pavillon Lefebvre, 5ème étage CHU Purpan 31059 Toulouse cedex 03 __________________________________________________
On Monday 13 March 2006 12:36, Matthias Titeux wrote:
Hello,
I have been using SuSE since 7.2 and I never face a probleme like this. I would like to apologize in advance if my question is stupid...and I have googled a bit before asking !
I have configured a simple ftp server using vsftpd, opened the port 21 (both tcp and udp) in Susefirewall and ... I can connect but not obtain the directory list, unless i disable the firewall. What is odd is that using the same configuration on a computer running SuSE 9.2, the ftp server works fine. If i connect to the computer using sftp (through ssh2), it is working. The problem seems to start after the connection to the server when it entered into the passive mode. This hapens with 2 different computer running opensuse (1 x86_64 and 1 i386). I don't understand the changes between SuSe 9.2 and opensuse in Susefirewall which impair the ftp transfer.
Any help is appreciated
You do know that ftp uses port 20 too, not only 21, right?
Le Lundi 13 Mars 2006 11:52, Silviu Marin-Caea a écrit :
On Monday 13 March 2006 12:36, Matthias Titeux wrote:
Hello,
I have been using SuSE since 7.2 and I never face a probleme like this. I would like to apologize in advance if my question is stupid...and I have googled a bit before asking !
I have configured a simple ftp server using vsftpd, opened the port 21 (both tcp and udp) in Susefirewall and ... I can connect but not obtain the directory list, unless i disable the firewall. What is odd is that using the same configuration on a computer running SuSE 9.2, the ftp server works fine. If i connect to the computer using sftp (through ssh2), it is working. The problem seems to start after the connection to the server when it entered into the passive mode. This hapens with 2 different computer running opensuse (1 x86_64 and 1 i386). I don't understand the changes between SuSe 9.2 and opensuse in Susefirewall which impair the ftp transfer.
Any help is appreciated
You do know that ftp uses port 20 too, not only 21, right?
Yes I opened port 20 as well ! Thank you for the answer. Regards Matthias -- ___________________________________________________ Matthias Titeux, PhD Departement de génétique des maladies epithéliums INSERM U563 - CPTP Pavillon Lefebvre, 5ème étage CHU Purpan 31059 Toulouse cedex 03 __________________________________________________
Matthias Titeux wrote:
Le Lundi 13 Mars 2006 11:52, Silviu Marin-Caea a écrit :
On Monday 13 March 2006 12:36, Matthias Titeux wrote:
Hello,
I have been using SuSE since 7.2 and I never face a probleme like this. I would like to apologize in advance if my question is stupid...and I have googled a bit before asking !
I have configured a simple ftp server using vsftpd, opened the port 21 (both tcp and udp) in Susefirewall and ... I can connect but not obtain the directory list, unless i disable the firewall. What is odd is that using the same configuration on a computer running SuSE 9.2, the ftp server works fine. If i connect to the computer using sftp (through ssh2), it is working. The problem seems to start after the connection to the server when it entered into the passive mode. This hapens with 2 different computer running opensuse (1 x86_64 and 1 i386). I don't understand the changes between SuSe 9.2 and opensuse in Susefirewall which impair the ftp transfer.
Any help is appreciated You do know that ftp uses port 20 too, not only 21, right?
Yes I opened port 20 as well !
I tried for ages to get ftp working and eventually, after opening up ports left, right and centre I saw the light! Instead of using ftp I used sftp and all was fine. (and it's far more secure) Luck! Colin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-03-13 at 11:36 +0100, Matthias Titeux wrote:
If i connect to the computer using sftp (through ssh2), it is working. The problem seems to start after the connection to the server when it entered into the passive mode.
I'm in lazy mode now, so I don't remember which is which; in passive mode the server side firewall is problematic, and in active mode it is the client side firewall which is problematic - or the other way round, I'd have to check, but I wont right now ;-) And, in recent SuSE versions, this should be handled transparently by the ftp conntrack module. nimrodel:~ # lsmod | grep conntrack ip_conntrack_ftp 73616 1 ip_nat_ftp ip_conntrack 45624 4 ipt_state,ip_nat_ftp,iptable_nat,ip_conntrack_ftp Perhaps declaring the ftp port by name instead of number will make the trick, dunno.
This hapens with 2 different computer running opensuse (1 x86_64 and 1 i386). I don't understand the changes between SuSe 9.2 and opensuse in Susefirewall which impair the ftp transfer.
There is no opensuse distro. I suppose you mean suse 10.0 oss. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEFYvVtTMYHG2NR9URAvHUAJ9nTfG0vMGHcU+PLi5QI2yYo3TxHACcDziu ePlFeAywzv/SyR7zbbg4HMw= =mImu -----END PGP SIGNATURE-----
Le Lundi 13 Mars 2006 16:12, Carlos E. R. a écrit :
The Monday 2006-03-13 at 11:36 +0100, Matthias Titeux wrote:
If i connect to the computer using sftp (through ssh2), it is working. The problem seems to start after the connection to the server when it entered into the passive mode.
I'm in lazy mode now, so I don't remember which is which; in passive mode the server side firewall is problematic, and in active mode it is the client side firewall which is problematic - or the other way round, I'd have to check, but I wont right now ;-)
And, in recent SuSE versions, this should be handled transparently by the ftp conntrack module.
nimrodel:~ # lsmod | grep conntrack ip_conntrack_ftp 73616 1 ip_nat_ftp ip_conntrack 45624 4 ipt_state,ip_nat_ftp,iptable_nat,ip_conntrack_ftp
Perhaps declaring the ftp port by name instead of number will make the trick, dunno.
This hapens with 2 different computer running opensuse (1 x86_64 and 1 i386). I don't understand the changes between SuSe 9.2 and opensuse in Susefirewall which impair the ftp transfer.
There is no opensuse distro. I suppose you mean suse 10.0 oss.
-- Cheers, Carlos Robinson
Thanks Carlos, Yes I meant SuSE 10.0 oss, sorry for the confusion. I tried to declare ftp instead of port 20 and 21 in Susefirewall (both TCP and UDP) on both the server and the client (2 SuSE 10.0 oss computers). The problem still there ! What is funny is when I tried from A Mac OS X computer (GO> Connect to server> ftp://my-ip-/my-name/) I was able to list the directory !!! I did not specify sftp, but maybe OS X is using it by default.... I Keep trying... Regards Matthias -- ___________________________________________________ Matthias Titeux, PhD Departement de génétique des maladies epithéliums INSERM U563 - CPTP Pavillon Lefebvre, 5ème étage CHU Purpan 31059 Toulouse cedex 03 __________________________________________________
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-03-13 at 16:59 +0100, Matthias Titeux wrote:
I tried to declare ftp instead of port 20 and 21 in Susefirewall (both TCP and UDP) on both the server and the client (2 SuSE 10.0 oss computers).
The problem still there !
I have FW_SERVICES_INT_TCP="ftp ftp-data" or FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data" (I consider that network external, it is connected to the internet router).
What is funny is when I tried from A Mac OS X computer (GO> Connect to server> ftp://my-ip-/my-name/) I was able to list the directory !!! I did not specify sftp, but maybe OS X is using it by default....
I'd rather think that it is a problem at the client side firewall. Or that the Mac uses the other method (active or passive). In active mode the client side "activates" a high port for data, to which the server side connects. The firewall has to be told somehow about that port. In passive mode it is the server side who has problems with its firewall. For example, in the "vsftpd" server you can allocate some ports for this: pasv_max_port The maximum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling. Default: 0 (use any port) pasv_min_port The minimum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling. Default: 0 (use any port) Other servers have equivalent settings. And then, you open that range in the firewall. I thought this was not needed with the contrack modules, but... dunno, some one told me he forced loading those modules manually. One last thing: if you are connecting through internet, I would rather use sftp. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEFh6+tTMYHG2NR9URAo73AJ4wmi7QdX1OKCuH2m8PKw7yO3tLIQCfeTkU 804lY2L/YpChDRTbPOx7DgQ= =Sfup -----END PGP SIGNATURE-----
Le Mardi 14 Mars 2006 02:39, Carlos E. R. a écrit :
The Monday 2006-03-13 at 16:59 +0100, Matthias Titeux wrote:
I tried to declare ftp instead of port 20 and 21 in Susefirewall (both TCP and UDP) on both the server and the client (2 SuSE 10.0 oss computers).
The problem still there !
I have
FW_SERVICES_INT_TCP="ftp ftp-data"
or
FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data"
(I consider that network external, it is connected to the internet router).
What is funny is when I tried from A Mac OS X computer (GO> Connect to server> ftp://my-ip-/my-name/) I was able to list the directory !!! I did not specify sftp, but maybe OS X is using it by default....
I'd rather think that it is a problem at the client side firewall. Or that the Mac uses the other method (active or passive).
In active mode the client side "activates" a high port for data, to which the server side connects. The firewall has to be told somehow about that port.
In passive mode it is the server side who has problems with its firewall.
For example, in the "vsftpd" server you can allocate some ports for this:
pasv_max_port
The maximum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
Default: 0 (use any port)
pasv_min_port
The minimum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
Default: 0 (use any port)
Other servers have equivalent settings.
And then, you open that range in the firewall. I thought this was not needed with the contrack modules, but... dunno, some one told me he forced loading those modules manually.
One last thing: if you are connecting through internet, I would rather use sftp.
-- Cheers, Carlos Robinson
Many thanks Carlos, As soon as i get time I will try your suggestions. Somehow, in previous SuSE releases, this was transparent. I just had to open port 21 in the firewall....(and the transfer was in Passive mode). Anyway, I learn better how the ftp transfer is working :-) And thanx for the advice. Cheers Matthias -- ___________________________________________________ Matthias Titeux, PhD Departement de génétique des maladies epithéliums INSERM U563 - CPTP Pavillon Lefebvre, 5ème étage CHU Purpan 31059 Toulouse cedex 03 __________________________________________________
Matthias Titeux wrote:
Le Mardi 14 Mars 2006 02:39, Carlos E. R. a écrit :
The Monday 2006-03-13 at 16:59 +0100, Matthias Titeux wrote:
I tried to declare ftp instead of port 20 and 21 in Susefirewall (both TCP and UDP) on both the server and the client (2 SuSE 10.0 oss computers).
The problem still there ! I have
FW_SERVICES_INT_TCP="ftp ftp-data"
or
FW_TRUSTED_NETS="192.168.1.11,tcp,ftp 192.168.1.11,tcp,ftp-data"
(I consider that network external, it is connected to the internet router).
What is funny is when I tried from A Mac OS X computer (GO> Connect to server> ftp://my-ip-/my-name/) I was able to list the directory !!! I did not specify sftp, but maybe OS X is using it by default.... I'd rather think that it is a problem at the client side firewall. Or that the Mac uses the other method (active or passive).
In active mode the client side "activates" a high port for data, to which the server side connects. The firewall has to be told somehow about that port.
In passive mode it is the server side who has problems with its firewall.
For example, in the "vsftpd" server you can allocate some ports for this:
pasv_max_port
The maximum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
Default: 0 (use any port)
pasv_min_port
The minimum port to allocate for PASV style data connections. Can be used to specify a narrow port range to assist firewalling.
Default: 0 (use any port)
Other servers have equivalent settings.
And then, you open that range in the firewall. I thought this was not needed with the contrack modules, but... dunno, some one told me he forced loading those modules manually.
One last thing: if you are connecting through internet, I would rather use sftp.
-- Cheers, Carlos Robinson
Many thanks Carlos,
As soon as i get time I will try your suggestions. Somehow, in previous SuSE releases, this was transparent. I just had to open port 21 in the firewall....(and the transfer was in Passive mode). Anyway, I learn better how the ftp transfer is working :-)
And thanx for the advice.
Cheers
Matthias
I realize this an old thread but i was wondering what was the resolution. I have the exact same problem. Thanks, LDB
participants (5)
-
Carlos E. R.
-
Colin Fraser
-
LDB
-
Matthias Titeux
-
Silviu Marin-Caea