The basic packet filtering firewall in RH8 blocks (hangs) ftp file transfers when they go into "passive" mode (the default mode for RH8 ftp client) because ftp tries to allocate additional port(s) for data transfer beyond the port(s) used for command and control (20 and/or 21) and those ports are apparently blocked.
I can turn off the firewall (set to "no firewall") using redhat-config-securitylevel and am able to transfer files just fine then, but it's just a temporary solution that points the finger at the firewall itself.
I found the following in the RH archives, but the author hadn't yet reached a solution and I don't fully understand what he was doing or exactly why. Comments and help would be much appreciated.
http://www.redhat.com/archives/redhat-install-list/2003-March/msg01502.html
There is also a good background chapter at:
http://books.mcgraw-hill.com/betabooks/dec02/turner/chap12.html
that introduces the nature of the problem.
I think the most likely solution will involve new iptables rules that allow ftp - "RELATED" packets to get through, plus the ip_conntrack_ftp module (and others?) that will allow the kernel to know what ftp-RELATED means.
I also found some archive info where people were struggling with the same problem and making changes to xinetd.d/vsftp config file to define the port as 3000:
http://www.resumedatabase.org/rhn/redhat-install-list/2003-March/1776.html
That doesn't make any sense to me because I read somewhere else that ftp tries to set up data transfer connections on ports ranging from 10000-20000. So this one just confused me.
Thanks to all who may be able to shed some light on this for me!
-Marc
KEYWORDS: iptables ftp vsftp vsftpd passive mode 20 21 redhat 8.0 RH8 packet filtering firewall high ip_conntrack_ftp hang transfer block xinetd
_______________________________________________ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
