FTP Problem

All --

I have a particular problem that I'm stumped on. I'm on RHEL4. I've
setup vsftpd behind my firewall. Connections from outside the firewall
work fine. Connections from inside the firewall work fine as wel. The
problem is that connections inside the firewall to the external address
do not work.

For example, if I am at address 192.168.15.2 and if I ftp to the server
at it's behind the firewall address 192.168.15.4 it doesn't work. I
connect, login, but then when I go to access the directory listing or
download a file, ftp hangs.

However, if I'm outside the firewall, and I ftp to the outside ip
address (the firewall it setup correct with port forwarding) it works
fine. I've turned off all firewall functionaliy on the firewall, and
I've deactivated the security firewall on the server as well to
eliminate these as problems. Please help!

As near as I can tell, the firewall doing NAT has a problem with the
connection.

This problem affects tftp as well.

Chris




Christopher Smith

Christopher Smith wrote:
> All --
>
> I have a particular problem that I'm stumped on. I'm on RHEL4. I've
> setup vsftpd behind my firewall. Connections from outside the firewall
> work fine. Connections from inside the firewall work fine as wel. The
> problem is that connections inside the firewall to the external address
> do not work.
>
> For example, if I am at address 192.168.15.2 and if I ftp to the server
> at it's behind the firewall address 192.168.15.4 it doesn't work. I
> connect, login, but then when I go to access the directory listing or
> download a file, ftp hangs.
>
> However, if I'm outside the firewall, and I ftp to the outside ip
> address (the firewall it setup correct with port forwarding) it works
> fine. I've turned off all firewall functionaliy on the firewall, and
> I've deactivated the security firewall on the server as well to
> eliminate these as problems. Please help!
>
> As near as I can tell, the firewall doing NAT has a problem with the
> connection.
>
> This problem affects tftp as well.
>
> Chris

Probably some combination of not allowing RELATED connections (in
/etc/sysconfig/iptables) and not loading ip_conntrack_ftp and/or
ip_nat_ftp (in /etc/sysconfig/iptables-config).

Allen Kistler <(E-Mail Removed)> wrote in news:EWkPg.2374$vJ2.2326
@newssvr12.news.prodigy.com:

> Christopher Smith wrote:

> Probably some combination of not allowing RELATED connections (in
> /etc/sysconfig/iptables) and not loading ip_conntrack_ftp and/or
> ip_nat_ftp (in /etc/sysconfig/iptables-config).
>


I don't think so. First, I turned iptables off and opened up the system
fully. I don't have a problem with access from outside the firewall.

Second, I don't have a problem if I connect behind the firewall with the
private IP address of server. For example, if my pc is 192.168.15.2. I can
ftp to 192.168.15.4 with no hang when trying to initiate a PASV connection.
However, if I ftp to the public IP address, the connection hangs upon
intiating PASV everytime.

The problem seems to be at the firewall/router configure or in some way
VSFTPD is suppoed to interact with the firewall, because it only appears
when I am behind the firewall, but attempting to connect to the "public-
ip" address on the firewall which is port-mapped to connect to the server.
I've used ethereal. Once the FTP client requests PASV, literally no packet
comes back.

Chris

On Mon, 18 Sep 2006 00:32:21 +0000, Christopher Smith rearranged some
electrons to form:

> Allen Kistler <(E-Mail Removed)> wrote in news:EWkPg.2374$vJ2.2326
> @newssvr12.news.prodigy.com:
>
>> Christopher Smith wrote:
>
>> Probably some combination of not allowing RELATED connections (in
>> /etc/sysconfig/iptables) and not loading ip_conntrack_ftp and/or
>> ip_nat_ftp (in /etc/sysconfig/iptables-config).
>>
>
>
> I don't think so. First, I turned iptables off and opened up the system
> fully. I don't have a problem with access from outside the firewall.
>
> Second, I don't have a problem if I connect behind the firewall with the
> private IP address of server. For example, if my pc is 192.168.15.2. I can
> ftp to 192.168.15.4 with no hang when trying to initiate a PASV connection.
> However, if I ftp to the public IP address, the connection hangs upon
> intiating PASV everytime.
>
> The problem seems to be at the firewall/router configure or in some way
> VSFTPD is suppoed to interact with the firewall, because it only appears
> when I am behind the firewall, but attempting to connect to the "public-
> ip" address on the firewall which is port-mapped to connect to the server.
> I've used ethereal. Once the FTP client requests PASV, literally no packet
> comes back.
>
> Chris

Make sure you have the passive mode ports enabled in your firewall.
I did it by limiting the port numbers to between 40000 and 40050, and
allowing those ports to be used on my router.

in /etc/vsftpd/vsftpd.conf

pasv_min_port=40000 (or whatever you like)
pasv_max_port=40050 (or whatever you like)

and then open those ports up in your firewall/router.
--
David M (dmacchiarolo)
http://home.triad.rr.com/redsled
T/S 53
sled351 Linux 2.4.18-14 has been up 18 days 2:49

David M <(E-Mail Removed)> wrote in
news:06mPg.11975$(E-Mail Removed):

> On Mon, 18 Sep 2006 00:32:21 +0000, Christopher Smith rearranged some
> electrons to form:
>
>> Allen Kistler <(E-Mail Removed)> wrote in news:EWkPg.2374$vJ2.2326
>> @newssvr12.news.prodigy.com:
>>
>>> Christopher Smith wrote:
>>
>>> Probably some combination of not allowing RELATED connections (in
>>> /etc/sysconfig/iptables) and not loading ip_conntrack_ftp and/or
>>> ip_nat_ftp (in /etc/sysconfig/iptables-config).
>>>
>
> Make sure you have the passive mode ports enabled in your firewall.
> I did it by limiting the port numbers to between 40000 and 40050, and
> allowing those ports to be used on my router.
>
> in /etc/vsftpd/vsftpd.conf
>
> pasv_min_port=40000 (or whatever you like)
> pasv_max_port=40050 (or whatever you like)



Did that originally, and have it now.

If I log in remotely to the ftp server (i.e., login from the public side
of the firewall), the pasv connection request to the server responds
correctly.

For example, I told vsftpd to use ports 1200-1203 for testing purposes.
If I'm at work, and I login, the ftp conection goes passive with the
response from the FTP Server as follows:

"Entering passive mode (X,X,X,X,4,177)."

where 4*256 + 177 = 1201, or the first passive port. The firewall is
open and it connects through just fine.

Anything else I can try?

David M <(E-Mail Removed)> wrote in news:06mPg.11975$Qg.2582
@southeast.rr.com:

> b

On 17 Sep 2006, you wrote in comp.os.linux.networking:

> On Mon, 18 Sep 2006 00:32:21 +0000, Christopher Smith rearranged some
> electrons to form:
>
>> Allen Kistler <(E-Mail Removed)> wrote in news:EWkPg.2374$vJ2.2326
>> @newssvr12.news.prodigy.com:
>>
>>> Christopher Smith wrote:
>>

> Make sure you have the passive mode ports enabled in your firewall.
> I did it by limiting the port numbers to between 40000 and 40050, and
> allowing those ports to be used on my router.
>
> in /etc/vsftpd/vsftpd.conf
>
> pasv_min_port=40000 (or whatever you like)
> pasv_max_port=40050 (or whatever you like)
>
> and then open those ports up in your firewall/router.


I did have that setup correct, and double checked it. Anything else I can
try? I used ports 1200-1203...


If it helps, I get the following on the ftp server if I ftp to the fully
qualified/public IP address from the ftp server:

------
[active 6] ~ > ftp -d PUBLIC.IP.ADDRESS
Connected to PUBLIC.IP.ADDRESS.
220 (vsFTPd 2.0.1)
---> AUTH GSSAPI
530 Please login with USER and PASS.
---> AUTH KERBEROS_V4
530 Please login with USER and PASS.
KERBEROS_V4 rejected as an authentication type
Name (PUBLIC.IP.ADDRESS:NAME): NAME
---> USER XXXX
331 Please specify the password.
Password:
---> PASS XXXX
230 Login successful.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
ftp: setsockopt (ignored): Permission denied
---> PASV
ftp: setsockopt (ignored): Permission denied


----


from outside the firewall I get:


H:\>ftp -d PUBLIC.IP.ADDRESS
Connected to PUBLIC.IP.ADDRESS.
220 (vsFTPd 2.0.1)
User (PUBLIC.IP.ADDRESSnone)): NAME
---> USER XXXX
331 Please specify the password.
Password:
---> PASS XXXXX
230 Login successful.
ftp> quote PASV
---> pASV
227 Entering Passive Mode (X,X,X,X,4,177)
ftp>