Re: [CentOS] FirewallD and FTP passive mode

2016-05-06 Thread Steve Clark 

On 05/05/2016 09:15 AM, Marcin Trendota wrote:

Howdy

I'm trying to run FTP server behind firewall. And i can't enable passive
mode from the Internet. There are plenty howtos but there aren't many
with my combination.

For now i have configured port forwarding and ftp server itself.

On the router:
# firewall-cmd --list-all --zone=external
external (active)
   interfaces: enp3s1
   sources:
   services: openvpn ssh
   ports: 1194/tcp 2666/tcp 88/tcp
   masquerade: yes
   forward-ports: port=21:proto=tcp:toport=:toaddr=10.0.32.7
 port=10090-10100:proto=tcp:toport=:toaddr=10.0.32.7
 port=88:proto=tcp:toport=80:toaddr=10.0.32.23
   icmp-blocks:
   rich rules:

I also did:
# modprobe ip_conntrack_ftp ports=10090,10100


excerpt form vsftpd.conf on the FTP server:
pasv_enable=Yes
pasv_min_port=10090
pasv_max_port=10100
pasv_addr_resolve=Yes

Do you have pasv_addr set to the hostname of the server?
pasv_address
  Use this option to override the IP address that vsftpd will 
advertise in response to
  the PASV command. Provide a numeric IP address, unless 
pasv_addr_resolve is enabled,
  in which case you can provide a hostname which will be  DNS  
resolved  for  you  at
  startup.

  Default: (none - the address is taken from the incoming connected 
socket)


>From LAN or through VPN it works. But on the public address i can only
log in, cannot turn into passive mode:

Connected to ftp1.domain.com (xxx.xxx.xxx.xxx).
220 (vsFTPd 2.2.2)
Name (ftp1.domain.com:root): user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,32,7,39,111).
ftp: connect: Connection timed out

Also this IP looks weird - shouldn't it be public IP?

What am i doing wrong?
TIA.




--
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD and FTP passive mode

2016-05-05 Thread James Hogarth 
On 5 May 2016 4:54 p.m., "Gordon Messmer"  wrote:
>
> On 05/05/2016 06:15 AM, Marcin Trendota wrote:
>>
>> Also this IP looks weird - shouldn't it be public IP?
>
>
>
> Yes, it should.  Are you using FTPS (FTP with TLS)?
>
> You probably need to set the pasv_address option.
>
>
>

Although of course FTPS (FTP over SSL) breaks the snooping required for the
related conntracking which makes firewall configuration hell.

Do yourself a favour and drop FTP, switching over to SFTP instead as that's
far easier to secure and you only have to care about the single TCP port
for firewalls.
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FirewallD and FTP passive mode

2016-05-05 Thread Gordon Messmer 

On 05/05/2016 06:15 AM, Marcin Trendota wrote:

Also this IP looks weird - shouldn't it be public IP?



Yes, it should.  Are you using FTPS (FTP with TLS)?

You probably need to set the pasv_address option.

___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos

[CentOS] FirewallD and FTP passive mode

2016-05-05 Thread Marcin Trendota 
Howdy

I'm trying to run FTP server behind firewall. And i can't enable passive
mode from the Internet. There are plenty howtos but there aren't many
with my combination.

For now i have configured port forwarding and ftp server itself.

On the router:
# firewall-cmd --list-all --zone=external
external (active)
  interfaces: enp3s1
  sources:
  services: openvpn ssh
  ports: 1194/tcp 2666/tcp 88/tcp
  masquerade: yes
  forward-ports: port=21:proto=tcp:toport=:toaddr=10.0.32.7
port=10090-10100:proto=tcp:toport=:toaddr=10.0.32.7
port=88:proto=tcp:toport=80:toaddr=10.0.32.23
  icmp-blocks:
  rich rules:

I also did:
# modprobe ip_conntrack_ftp ports=10090,10100


excerpt form vsftpd.conf on the FTP server:
pasv_enable=Yes
pasv_min_port=10090
pasv_max_port=10100
pasv_addr_resolve=Yes

>From LAN or through VPN it works. But on the public address i can only
log in, cannot turn into passive mode:

Connected to ftp1.domain.com (xxx.xxx.xxx.xxx).
220 (vsFTPd 2.2.2)
Name (ftp1.domain.com:root): user
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (10,0,32,7,39,111).
ftp: connect: Connection timed out

Also this IP looks weird - shouldn't it be public IP?

What am i doing wrong?
TIA.

-- 
Over And Out
MoonWolf
___
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos