Re: Issue with ftp making connection but not list?
-p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 5900:5979 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Thu Sep 8 15:38:32 2016 On 7 Sep 2016 at 21:22, Mike Wright wrote: Subject:Re: Issue with ftp making connection but not list? To: Community support for Fedora users <users@lists.fedoraproject.org> From: Mike Wright <nob...@nospam.hostisimo.com> Date sent: Wed, 7 Sep 2016 21:22:54 -0700 Send reply to: Community support for Fedora users <users@lists.fedoraproject.org> > On 09/07/2016 08:26 PM, Michael D. Setzer II wrote: > > On 7 Sep 2016 at 18:38, Mike Wright wrote: > > >>>>>>> Did just notice if I do the traceroute with -I option it doesn't > >>>>>>> give the !X? Will > have to look into the difference between with -I and without?? > > traceroute -I says use ping to follow the connections. > > >>>>>>>Again, it was working 2 days ago, so I am thinking that a recent > >>>>>>> update > >>>>>>>has done something?? > > You might try comparing the output of d7t iptables-save and d7r > iptables-save. I have a hunch that's where the problem is. > > >>>>>>>Not sure why the !X is occurring. These machines are on the same > >>>>>>>192.168.7.x network? > > The last rule on the INPUT chain is this: > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > If a packet makes it that far without having been handled by one of the > other chains you WILL receive an icmp-host-prohibited notification. > > >>>>>>>Thanks. > > Happy to have helped. > -- > users mailing list > users@lists.fedoraproject.org > To unsubscribe or change subscription options: > https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org +--+ Michael D. Setzer II - Computer Science Instructor Guam Community College Computer Center mailto:mi...@kuentos.guam.net mailto:msetze...@gmail.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +--+ http://setiathome.berkeley.edu (Original) Number of Seti Units Returned: 19,471 Processing time: 32 years, 290 days, 12 hours, 58 minutes (Total Hours: 287,489) BOINC@HOME CREDITS ABC 16613838.513356 | EINSTEIN 111619174.788695 ROSETTA 48018352.619787 | SETI91341742.472919 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Issue with ftp making connection but not list?
Seemed to have it working by setting up the ports 20 and 21 in the firewall for both tcp and udp, so copied the settings from machine r to real server. Then it didn't work?? Did an nmapfe to the machine, and if either firewalld and/or iptables is running the port 20 shows up as closed. Even though the iptables is listing it and it is in the zones/public.xml file. So, don't know what is maked the port 20 appear as closed?? Machines should all be identical, but will have to check to see if somethings is off somewhere? On 7 Sep 2016 at 21:22, Mike Wright wrote: Subject:Re: Issue with ftp making connection but not list? To: Community support for Fedora users <users@lists.fedoraproject.org> From: Mike Wright <nob...@nospam.hostisimo.com> Date sent: Wed, 7 Sep 2016 21:22:54 -0700 Send reply to: Community support for Fedora users <users@lists.fedoraproject.org> > On 09/07/2016 08:26 PM, Michael D. Setzer II wrote: > > On 7 Sep 2016 at 18:38, Mike Wright wrote: > > >>>>>>> Did just notice if I do the traceroute with -I option it doesn't > >>>>>>> give the !X? Will > have to look into the difference between with -I and without?? > > traceroute -I says use ping to follow the connections. > > >>>>>>>Again, it was working 2 days ago, so I am thinking that a recent > >>>>>>> update > >>>>>>>has done something?? > > You might try comparing the output of d7t iptables-save and d7r > iptables-save. I have a hunch that's where the problem is. > > >>>>>>>Not sure why the !X is occurring. These machines are on the same > >>>>>>>192.168.7.x network? > > The last rule on the INPUT chain is this: > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > If a packet makes it that far without having been handled by one of the > other chains you WILL receive an icmp-host-prohibited notification. > > >>>>>>>Thanks. > > Happy to have helped. > -- > users mailing list > users@lists.fedoraproject.org > To unsubscribe or change subscription options: > https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org +--+ Michael D. Setzer II - Computer Science Instructor Guam Community College Computer Center mailto:mi...@kuentos.guam.net mailto:msetze...@gmail.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +--+ http://setiathome.berkeley.edu (Original) Number of Seti Units Returned: 19,471 Processing time: 32 years, 290 days, 12 hours, 58 minutes (Total Hours: 287,489) BOINC@HOME CREDITS ABC 16613838.513356 | EINSTEIN 111619174.788695 ROSETTA 48018352.619787 | SETI91341742.472919 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Issue with ftp making connection but not list?
On 09/07/2016 08:26 PM, Michael D. Setzer II wrote: On 7 Sep 2016 at 18:38, Mike Wright wrote: Did just notice if I do the traceroute with -I option it doesn't give the !X? Will have to look into the difference between with -I and without?? traceroute -I says use ping to follow the connections. Again, it was working 2 days ago, so I am thinking that a recent update has done something?? You might try comparing the output of d7t iptables-save and d7r iptables-save. I have a hunch that's where the problem is. Not sure why the !X is occurring. These machines are on the same 192.168.7.x network? The last rule on the INPUT chain is this: -A INPUT -j REJECT --reject-with icmp-host-prohibited If a packet makes it that far without having been handled by one of the other chains you WILL receive an icmp-host-prohibited notification. Thanks. Happy to have helped. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Re: Issue with ftp making connection but not list?
On 7 Sep 2016 at 18:38, Mike Wright wrote: Subject:Re: Issue with ftp making connection but not list? To: Community support for Fedora users <users@lists.fedoraproject.org> From: Mike Wright <nob...@nospam.hostisimo.com> Date sent: Wed, 7 Sep 2016 18:38:46 -0700 Send reply to: Community support for Fedora users <users@lists.fedoraproject.org> > On 09/07/2016 05:26 PM, Michael D. Setzer II wrote: > > On 7 Sep 2016 at 16:32, Mike Wright wrote: > > > > 1) ftp uses tcp > 2) ftp uses port 21 in both ACTIVE and PASSIVE modes > 3) ftp also uses port 20 in ACTIVE mode > > I want to make sure I understand what is going on. > > d7r is the fedora24 host, correct? > > ftp from d7q to d7r (192.168.7.218) does not work, correct? > > ftp from d7q to d7t (192.168.7.220) works, is that correct? > > If you turn off the firewall on d7r you can successfully ftp from d7q to > d7r, correct? > > What I see is: > > --> 1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X > 0.141 ms > > The above line shows a "prohibited" status when tracerouting to d7r. > > --> [msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218 > --> connect failed: No route to host. > > The above error could indicate that a desired port is not open or it may > be because access to that host is "prohibited" in some way. > > The iptables-save output from host d7r that you provided shows only port > 21 tcp open so you MUST use PASSIVE mode when connecting to that machine. > > It is possible that you are using ACTIVE mode. If so, the firewall must > also allow port 20 tcp to accept connections. > > > > > > >>>>>traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte > >>>>>packets > >>>>> > >>>>> 1 d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms > >>>>> > >>>>>traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte > >>>>>packets > >>>>> > >>>>>!X > Seems that only the Fedora 24 systems are the issue? Can connected to older fedora, ubuntu, and even an old 98 machine running slimftp with no problems. I had tried added ports 20-21 with both tcp and udp settings in firewall-config, but it didn't work?? Just tied again, but manually do each one separately. Now it does connect, and can list files. Works if I set passive on and off?? Didn't have that before and it worked?? # Generated by iptables-save v1.4.21 on Thu Sep 8 13:06:58 2016 *raw :PREROUTING ACCEPT [98:16618] :OUTPUT ACCEPT [103:43829] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Thu Sep 8 13:06:58 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 13:06:58 2016 *nat :PREROUTING ACCEPT [23:1316] :INPUT ACCEPT [5:300] :OUTPUT ACCEPT [1:60] :POSTROUTING ACCEPT [1:60] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o enp2s0 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i enp2s0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Thu Sep 8 13:06:58 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 13:06:58 2016 *mangle :PREROUTING ACCEPT [98:16618] :INPUT ACCEPT [98:16618] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [103:43829] :POSTROUTING ACCEPT [103:43829] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0]
Re: Issue with ftp making connection but not list?
On 09/07/2016 05:26 PM, Michael D. Setzer II wrote: On 7 Sep 2016 at 16:32, Mike Wright wrote: 1) ftp uses tcp 2) ftp uses port 21 in both ACTIVE and PASSIVE modes 3) ftp also uses port 20 in ACTIVE mode I want to make sure I understand what is going on. d7r is the fedora24 host, correct? ftp from d7q to d7r (192.168.7.218) does not work, correct? ftp from d7q to d7t (192.168.7.220) works, is that correct? If you turn off the firewall on d7r you can successfully ftp from d7q to d7r, correct? What I see is: --> 1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms The above line shows a "prohibited" status when tracerouting to d7r. --> [msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218 --> connect failed: No route to host. The above error could indicate that a desired port is not open or it may be because access to that host is "prohibited" in some way. The iptables-save output from host d7r that you provided shows only port 21 tcp open so you MUST use PASSIVE mode when connecting to that machine. It is possible that you are using ACTIVE mode. If so, the firewall must also allow port 20 tcp to accept connections. traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte packets 1 d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte packets !X I don't use firewalld but I do speak iptables so I'll try to help if I can. All of the "COMMAND_FAILED" errors are from something trying to delete rules from the firewall, rules that apparently don't exist. As root, on d7t, would you please post the results of iptables-save? Using machine d7q and d7r. Started the vsftp on d7r, and works if on d7r I disable the firewalld service, but not if it is running? With the Firewalld stopped on d7r (192.168.7.218) [msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218 pub/ With the Firewalld started on d7r (192.168.7.218) [msetzerii@d7q ~]$ ncftpls ftp://192.168.7.218 connect failed: No route to host. connect failed: No route to host. connect failed: No route to host. Falling back to PORT instead of PASV mode. [msetzerii@d7q ~]$ iptables-save output of d7r # Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016 *mangle :PREROUTING ACCEPT [134:8757] :INPUT ACCEPT [134:8757] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [90:16750] :POSTROUTING ACCEPT [90:16750] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i enp2s0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Thu Sep 8 10:12:45 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016 *raw :PREROUTING ACCEPT [134:8757] :OUTPUT ACCEPT [90:16750] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Thu Sep 8 10:12:45 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 10:12:45 2016 *nat :PREROUTING ACCEPT [7:384] :INPUT ACCEPT [2:148] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o enp2s0 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i enp2s0 -g PRE_public -A PREROUTING_ZONES -g
Re: Issue with ftp making connection but not list?
On 7 Sep 2016 at 16:32, Mike Wright wrote: Subject:Re: Issue with ftp making connection but not list? To: Community support for Fedora users <users@lists.fedoraproject.org> From: Mike Wright <nob...@nospam.hostisimo.com> Date sent: Wed, 7 Sep 2016 16:32:05 -0700 Send reply to: Community support for Fedora users <users@lists.fedoraproject.org> > On 09/07/2016 03:55 PM, Michael D. Setzer II wrote: > > On 7 Sep 2016 at 13:50, Fred Smith wrote: > > > > Date sent: Wed, 7 Sep 2016 13:50:21 -0400 > > From: Fred Smith <fre...@fcshome.stoneham.ma.us> > > To: users@lists.fedoraproject.org > > Subject:Re: Issue with ftp making connection but not list? > > Send reply to: Community support for Fedora users > > <users@lists.fedoraproject.org> > > > >> On Thu, Sep 08, 2016 at 03:17:32AM +1000, Michael D. Setzer II wrote: > >>>Everything was working till just the other day? I've done more testing, > >>>and it has something to do with firewalld and iptables. > >>> > >>>I found that if I traceroute to machines not running fedora 24 it > >>>complete, but with fedora 24 machine I am getting !X > >>> > >>>I stopped firewalld and iptables on machine d7t and then I can complete > >>>a traceroute and ftp to the machine. > >> > >> while I'm surely not an expert, I think that at this time I would open > >> up the firewall applet on the remote systems and make sure that both > >> ports necessary for ftp are in fact open. According to /etc/services, > >> that would be ports 20 and 21, for both tcp and udp. > >> > >>ftp-data20/tcp > >>ftp-data20/udp > >># 21 is registered to ftp, but also used by fsp > >>ftp 21/tcp > >>ftp 21/udp fsp fspd > >> > > > > Did check /etc/services and the ports are listed. > > The firewall-config has the ftp service check, but had also tried adding the > > ports 20-21 as ports to open. Not sure how that would effect the traceroute > > anyway, but only currently shuting down firewalld and iptables seems to get > > the process to work correctly. Specific machines are in my classroom, and > > are connected to the same switch. > > > > > > > >>> > >>>traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte > >>>packets > >>> > >>> 1 d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms > >>> > >>>traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte > >>>packets > >>> > >>> 1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms > >>>!X > >>> > >>>Also have 3 old ubuntu machine, and traceroute to them with no problem > >>>with the !X. > >>> > >>>Did not with the firewald status I am seeing this. > >>> > >>>· firewalld.service - firewalld - dynamic firewall daemon > >>> > >>> Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; > >>>vendor preset: enabled) > >>> > >>> Active: active (running) since Thu 2016-09-08 02:53:53 ChST; 41s ago > >>> > >>> Docs: man:firewalld(1) > >>> > >>> Main PID: 11258 (firewalld) > >>> > >>>Tasks: 3 (limit: 512) > >>> > >>> CGroup: /system.slice/firewalld.service > >>> > >>> └─11258 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork > >>>--nopid > >>> > >>>Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>>COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >>>--destination 192.168.122.0/24 --out-interface virbr0 --match conntrack > >>>--ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: > >>> > >>>Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>>COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >>>--source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: > >>> > >>>Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >>>COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --
Re: Issue with ftp making connection but not list?
On 09/07/2016 03:55 PM, Michael D. Setzer II wrote: On 7 Sep 2016 at 13:50, Fred Smith wrote: Date sent: Wed, 7 Sep 2016 13:50:21 -0400 From: Fred Smith <fre...@fcshome.stoneham.ma.us> To: users@lists.fedoraproject.org Subject: Re: Issue with ftp making connection but not list? Send reply to: Community support for Fedora users <users@lists.fedoraproject.org> On Thu, Sep 08, 2016 at 03:17:32AM +1000, Michael D. Setzer II wrote: Everything was working till just the other day? I've done more testing, and it has something to do with firewalld and iptables. I found that if I traceroute to machines not running fedora 24 it complete, but with fedora 24 machine I am getting !X I stopped firewalld and iptables on machine d7t and then I can complete a traceroute and ftp to the machine. while I'm surely not an expert, I think that at this time I would open up the firewall applet on the remote systems and make sure that both ports necessary for ftp are in fact open. According to /etc/services, that would be ports 20 and 21, for both tcp and udp. ftp-data20/tcp ftp-data20/udp # 21 is registered to ftp, but also used by fsp ftp 21/tcp ftp 21/udp fsp fspd Did check /etc/services and the ports are listed. The firewall-config has the ftp service check, but had also tried adding the ports 20-21 as ports to open. Not sure how that would effect the traceroute anyway, but only currently shuting down firewalld and iptables seems to get the process to work correctly. Specific machines are in my classroom, and are connected to the same switch. traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte packets 1 d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte packets 1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms !X Also have 3 old ubuntu machine, and traceroute to them with no problem with the !X. Did not with the firewald status I am seeing this. · firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2016-09-08 02:53:53 ChST; 41s ago Docs: man:firewalld(1) Main PID: 11258 (firewalld) Tasks: 3 (limit: 512) CGroup: /system.slice/firewalld.service └─11258 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: I don't use firewalld but I do speak iptables so I'll try to help if I can. All of the "COMMAND_FAILED" errors are from some
Re: Issue with ftp making connection but not list?
On 7 Sep 2016 at 13:50, Fred Smith wrote: Date sent: Wed, 7 Sep 2016 13:50:21 -0400 From: Fred Smith <fre...@fcshome.stoneham.ma.us> To: users@lists.fedoraproject.org Subject: Re: Issue with ftp making connection but not list? Send reply to: Community support for Fedora users <users@lists.fedoraproject.org> > On Thu, Sep 08, 2016 at 03:17:32AM +1000, Michael D. Setzer II wrote: > >Everything was working till just the other day? I've done more testing, > >and it has something to do with firewalld and iptables. > > > >I found that if I traceroute to machines not running fedora 24 it > >complete, but with fedora 24 machine I am getting !X > > > >I stopped firewalld and iptables on machine d7t and then I can complete > >a traceroute and ftp to the machine. > > while I'm surely not an expert, I think that at this time I would open > up the firewall applet on the remote systems and make sure that both > ports necessary for ftp are in fact open. According to /etc/services, > that would be ports 20 and 21, for both tcp and udp. > > ftp-data20/tcp > ftp-data20/udp > # 21 is registered to ftp, but also used by fsp > ftp 21/tcp > ftp 21/udp fsp fspd > Did check /etc/services and the ports are listed. The firewall-config has the ftp service check, but had also tried adding the ports 20-21 as ports to open. Not sure how that would effect the traceroute anyway, but only currently shuting down firewalld and iptables seems to get the process to work correctly. Specific machines are in my classroom, and are connected to the same switch. > > > >traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte > >packets > > > > 1 d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms > > > >traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte > >packets > > > > 1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms > >!X > > > >Also have 3 old ubuntu machine, and traceroute to them with no problem > >with the !X. > > > >Did not with the firewald status I am seeing this. > > > >· firewalld.service - firewalld - dynamic firewall daemon > > > > Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; > >vendor preset: enabled) > > > > Active: active (running) since Thu 2016-09-08 02:53:53 ChST; 41s ago > > > > Docs: man:firewalld(1) > > > > Main PID: 11258 (firewalld) > > > >Tasks: 3 (limit: 512) > > > > CGroup: /system.slice/firewalld.service > > > > └─11258 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork > >--nopid > > > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >--destination 192.168.122.0/24 --out-interface virbr0 --match conntrack > >--ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: > > > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >--source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: > > > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >--in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: > > > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >--out-interface virbr0 --jump REJECT' failed: > > > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD > >--in-interface virbr0 --jump REJECT' failed: > > > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT > >--in-interface virbr0 --protocol udp --destination-port 53 --jump > >ACCEPT' failed: > > > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: > >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT > >--in-interface virbr0 --protocol tcp --destination-port 53 --jump > >ACCEPT' failed: > > > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11
Re: Issue with ftp making connection but not list?
On Thu, Sep 08, 2016 at 03:17:32AM +1000, Michael D. Setzer II wrote: >Everything was working till just the other day? I've done more testing, >and it has something to do with firewalld and iptables. > >I found that if I traceroute to machines not running fedora 24 it >complete, but with fedora 24 machine I am getting !X > >I stopped firewalld and iptables on machine d7t and then I can complete >a traceroute and ftp to the machine. while I'm surely not an expert, I think that at this time I would open up the firewall applet on the remote systems and make sure that both ports necessary for ftp are in fact open. According to /etc/services, that would be ports 20 and 21, for both tcp and udp. ftp-data20/tcp ftp-data20/udp # 21 is registered to ftp, but also used by fsp ftp 21/tcp ftp 21/udp fsp fspd > >traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte >packets > > 1 d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms > >traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte >packets > > 1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms >!X > >Also have 3 old ubuntu machine, and traceroute to them with no problem >with the !X. > >Did not with the firewald status I am seeing this. > >· firewalld.service - firewalld - dynamic firewall daemon > > Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; >vendor preset: enabled) > > Active: active (running) since Thu 2016-09-08 02:53:53 ChST; 41s ago > > Docs: man:firewalld(1) > > Main PID: 11258 (firewalld) > >Tasks: 3 (limit: 512) > > CGroup: /system.slice/firewalld.service > > └─11258 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork >--nopid > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD >--destination 192.168.122.0/24 --out-interface virbr0 --match conntrack >--ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD >--source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD >--in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD >--out-interface virbr0 --jump REJECT' failed: > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD >--in-interface virbr0 --jump REJECT' failed: > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT >--in-interface virbr0 --protocol udp --destination-port 53 --jump >ACCEPT' failed: > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT >--in-interface virbr0 --protocol tcp --destination-port 53 --jump >ACCEPT' failed: > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete OUTPUT >--out-interface virbr0 --protocol udp --destination-port 68 --jump >ACCEPT' failed: > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT >--in-interface virbr0 --protocol udp --destination-port 67 --jump >ACCEPT' failed: > >Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: >COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT >--in-interface virbr0 --protocol tcp --destination-port 67 --jump >ACCEPT' failed: > >Again, it was working 2 days ago, so I am thinking that a recent update >has done something?? > >Not sure why the !X is occurring. These machines are on the same >192.168.7.x network? > >Thanks for the reply. > >On 7 Sep 2016 at 9:42, Gordon Messmer wrote: > >Subject: Re: Issue with ftp making connection but not >list? > >To: Community support for >Fedora users <users@lists.fedora
Re: Issue with ftp making connection but not list?
Everything was working till just the other day? I've done more testing, and it has something to do with firewalld and iptables. I found that if I traceroute to machines not running fedora 24 it complete, but with fedora 24 machine I am getting !X I stopped firewalld and iptables on machine d7t and then I can complete a traceroute and ftp to the machine. traceroute to 192.168.7.220 (192.168.7.220), 30 hops max, 60 byte packets 1 d7t.guamcc.net (192.168.7.220) 0.122 ms 0.091 ms 0.080 ms traceroute to 192.168.7.218 (192.168.7.218), 30 hops max, 60 byte packets 1 d7r.guamcc.net (192.168.7.218) 0.199 ms !X 0.154 ms !X 0.141 ms !X Also have 3 old ubuntu machine, and traceroute to them with no problem with the !X. Did not with the firewald status I am seeing this. ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2016-09-08 02:53:53 ChST; 41s ago Docs: man:firewalld(1) Main PID: 11258 (firewalld) Tasks: 3 (limit: 512) CGroup: /system.slice/firewalld.service └─11258 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --destination 192.168.122.0/24 --out-interface virbr0 --match conntrack --ctstate ESTABLISHED,RELATED --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --source 192.168.122.0/24 --in-interface virbr0 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --in-interface virbr0 --out-interface virbr0 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --out-interface virbr0 --jump REJECT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete FORWARD --in-interface virbr0 --jump REJECT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 53 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 53 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete OUTPUT --out-interface virbr0 --protocol udp --destination-port 68 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol udp --destination-port 67 --jump ACCEPT' failed: Sep 08 02:53:54 d7t.guamcc.net /firewalld[11258]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w --table filter --delete INPUT --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT' failed: Again, it was working 2 days ago, so I am thinking that a recent update has done something?? Not sure why the !X is occurring. These machines are on the same 192.168.7.x network? Thanks for the reply. On 7 Sep 2016 at 9:42, Gordon Messmer wrote: Subject:Re: Issue with ftp making connection but not list? To: Community support for Fedora users <users@lists.fedoraproject.org> From: Gordon Messmer <gordon.mess...@gmail.com> Date sent: Wed, 7 Sep 2016 09:42:59 -0700 Send reply to: Community support for Fedora users <users@lists.fedoraproject.org> > On 09/07/2016 07:18 AM, Michael D. Setzer II wrote: > > Use ftp to transfer files, but just had issues today in which connection is > > made and login works fine, but doing a ls or trying to download a file > > fails? > > > If you're behind NAT or a non-stateful firewall, you typically need to > use PASV. If the server is behind NAT or a non-stateful firewall, you > should not use PASV. If you're both behind NAT or non-stateful > firewalls, you might not be able to use FTP at all (for non-encrypted > FTP, a NAT helper on the firewall can re-write traffic to make active > mode work). > > Since you're able to reach the server from off-site, the problem is > probably the firewall used by the clients on campus. If you don't run > that, you should mention the issue to the people who do (MIS?). > -- > users mailing list > users@lists.fedoraproject.org > To unsubscribe or change subscription options: > https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject
Re: Issue with ftp making connection but not list?
On 09/07/2016 07:18 AM, Michael D. Setzer II wrote: Use ftp to transfer files, but just had issues today in which connection is made and login works fine, but doing a ls or trying to download a file fails? If you're behind NAT or a non-stateful firewall, you typically need to use PASV. If the server is behind NAT or a non-stateful firewall, you should not use PASV. If you're both behind NAT or non-stateful firewalls, you might not be able to use FTP at all (for non-encrypted FTP, a NAT helper on the firewall can re-write traffic to make active mode work). Since you're able to reach the server from off-site, the problem is probably the firewall used by the clients on campus. If you don't run that, you should mention the issue to the people who do (MIS?). -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
Issue with ftp making connection but not list?
Use ftp to transfer files, but just had issues today in which connection is made and login works fine, but doing a ls or trying to download a file fails? Tried with passive on and off? Did use it just the other day. We did have some power issues, since two of the Island main generators are down, and they have had 3 hour rolling outages?? I can do sftp connections, and they seem to work just fine, but anonymous doesn't work with that. Have tried both using ncftp and regular ftp. Have systems in my classroom that are on a separate network sitting side by side, and then can not connect. Can connect with ftp server on same machine using IP, and it works? Not at the site at moment, but will try to power cycle switches and computers to see. I can ncftp to servers on campus from off campus, but from inside campus to same machines doesn't work? Don't know if MIS might have made some changes?? +--+ Michael D. Setzer II - Computer Science Instructor Guam Community College Computer Center mailto:mi...@kuentos.guam.net mailto:msetze...@gmail.com Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +--+ http://setiathome.berkeley.edu (Original) Number of Seti Units Returned: 19,471 Processing time: 32 years, 290 days, 12 hours, 58 minutes (Total Hours: 287,489) BOINC@HOME CREDITS ABC 16613838.513356 | EINSTEIN 111590261.788695 ROSETTA 47988082.134319 | SETI91238390.558019 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@lists.fedoraproject.org Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org