Re: [CentOS] FirewallD and FTP passive mode
On 05/05/2016 09:15 AM, Marcin Trendota wrote: Howdy I'm trying to run FTP server behind firewall. And i can't enable passive mode from the Internet. There are plenty howtos but there aren't many with my combination. For now i have configured port forwarding and ftp server itself. On the router: # firewall-cmd --list-all --zone=external external (active) interfaces: enp3s1 sources: services: openvpn ssh ports: 1194/tcp 2666/tcp 88/tcp masquerade: yes forward-ports: port=21:proto=tcp:toport=:toaddr=10.0.32.7 port=10090-10100:proto=tcp:toport=:toaddr=10.0.32.7 port=88:proto=tcp:toport=80:toaddr=10.0.32.23 icmp-blocks: rich rules: I also did: # modprobe ip_conntrack_ftp ports=10090,10100 excerpt form vsftpd.conf on the FTP server: pasv_enable=Yes pasv_min_port=10090 pasv_max_port=10100 pasv_addr_resolve=Yes Do you have pasv_addr set to the hostname of the server? pasv_address Use this option to override the IP address that vsftpd will advertise in response to the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled, in which case you can provide a hostname which will be DNS resolved for you at startup. Default: (none - the address is taken from the incoming connected socket) >From LAN or through VPN it works. But on the public address i can only log in, cannot turn into passive mode: Connected to ftp1.domain.com (xxx.xxx.xxx.xxx). 220 (vsFTPd 2.2.2) Name (ftp1.domain.com:root): user 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (10,0,32,7,39,111). ftp: connect: Connection timed out Also this IP looks weird - shouldn't it be public IP? What am i doing wrong? TIA. -- Stephen Clark *NetWolves Managed Services, LLC.* Director of Technology Phone: 813-579-3200 Fax: 813-882-0209 Email: steve.cl...@netwolves.com http://www.netwolves.com ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] FirewallD and FTP passive mode
On 5 May 2016 4:54 p.m., "Gordon Messmer"wrote: > > On 05/05/2016 06:15 AM, Marcin Trendota wrote: >> >> Also this IP looks weird - shouldn't it be public IP? > > > > Yes, it should. Are you using FTPS (FTP with TLS)? > > You probably need to set the pasv_address option. > > > Although of course FTPS (FTP over SSL) breaks the snooping required for the related conntracking which makes firewall configuration hell. Do yourself a favour and drop FTP, switching over to SFTP instead as that's far easier to secure and you only have to care about the single TCP port for firewalls. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] FirewallD and FTP passive mode
On 05/05/2016 06:15 AM, Marcin Trendota wrote: Also this IP looks weird - shouldn't it be public IP? Yes, it should. Are you using FTPS (FTP with TLS)? You probably need to set the pasv_address option. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] FirewallD and FTP passive mode
Howdy I'm trying to run FTP server behind firewall. And i can't enable passive mode from the Internet. There are plenty howtos but there aren't many with my combination. For now i have configured port forwarding and ftp server itself. On the router: # firewall-cmd --list-all --zone=external external (active) interfaces: enp3s1 sources: services: openvpn ssh ports: 1194/tcp 2666/tcp 88/tcp masquerade: yes forward-ports: port=21:proto=tcp:toport=:toaddr=10.0.32.7 port=10090-10100:proto=tcp:toport=:toaddr=10.0.32.7 port=88:proto=tcp:toport=80:toaddr=10.0.32.23 icmp-blocks: rich rules: I also did: # modprobe ip_conntrack_ftp ports=10090,10100 excerpt form vsftpd.conf on the FTP server: pasv_enable=Yes pasv_min_port=10090 pasv_max_port=10100 pasv_addr_resolve=Yes >From LAN or through VPN it works. But on the public address i can only log in, cannot turn into passive mode: Connected to ftp1.domain.com (xxx.xxx.xxx.xxx). 220 (vsFTPd 2.2.2) Name (ftp1.domain.com:root): user 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (10,0,32,7,39,111). ftp: connect: Connection timed out Also this IP looks weird - shouldn't it be public IP? What am i doing wrong? TIA. -- Over And Out MoonWolf ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos