LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-07-2005, 04:43 AM   #1
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Rep: Reputation: 30
Question Allowing Passive and Active FTP Connection


I've set up a server purely for FTP, and let it for my staff to use. Only when they complain they can't connect then i realise.. there's a difference between passive and active... their ftp client (FileZilla) defaults to passive, which somehow it seems to be waiting for something - can't connect.

Setting it to active solve all issue. I read abit abt it... but so far.. the one way which i did was to shutoff iptables...

I don suppose allowing passive/active connection is anything to do with vsftpd.conf.. cos i did try the online reference on setting the parameters (with the port range etc etc) and it didn't work at all. Only after I shut off the iptables then it did...

so I suppose I need to open some/certain ports in ip tables for it to work.. but what...

any guys can advice?

Many thanks
 
Old 12-08-2005, 06:14 AM   #2
baldy3105
Member
 
Registered: Jan 2003
Location: Cambridgeshire, UK
Distribution: Mint (Desktop), Debian (Server)
Posts: 876

Rep: Reputation: 184Reputation: 184
Normal FTP is active. Client opens port 21 to server for FTP control, server then intructs client to open a dynamic listening port which the server then connects into for data. So you end up with an incomming session into the client. Obviously most firewalls won't allow this by default and its almost impossible to set up rules because the listening port is dynamic so your firewall would have to be able to keep state information on FTP sessions which most won't.

Passive FTP was introduced as the fix. Here the server opens a dynamic listening port for data and tells the client to open a second session in. So both sessions are client to server oriented and therefore the firewall protecting the client doesn't need to do anything special.

The firewall protecting the server however needs to be aware that the FTP server may be listening on any port for data sessions and so need to allow incomming connections to any port on. Unless the firewall is intelligent enough to see what port the ftp session on port 21 has negotiated which I doubt iptables are.
 
Old 12-08-2005, 06:34 AM   #3
jakev383
QmailToaster Developer
 
Registered: Dec 2005
Location: Burlington, NC
Distribution: CentOS, Voyage, Debian, Fedora
Posts: 220

Rep: Reputation: 31
Quote:
Originally Posted by Swakoo
Setting it to active solve all issue. I read abit abt it... but so far.. the one way which i did was to shutoff iptables...

I don suppose allowing passive/active connection is anything to do with vsftpd.conf.. cos i did try the online reference on setting the parameters (with the port range etc etc) and it didn't work at all. Only after I shut off the iptables then it did...

so I suppose I need to open some/certain ports in ip tables for it to work.. but what...

any guys can advice?
No need to shut off iptables. Just run this somewhere (like your rc.local script):
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack

And you should be good after that.
 
Old 12-09-2005, 06:52 AM   #4
baldy3105
Member
 
Registered: Jan 2003
Location: Cambridgeshire, UK
Distribution: Mint (Desktop), Debian (Server)
Posts: 876

Rep: Reputation: 184Reputation: 184
I stand corrected, it is clever enough, cool
 
Old 12-09-2005, 06:53 AM   #5
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
i shut off iptables and both worked flawlessly...

what does the 2 command do?
 
Old 12-09-2005, 06:53 AM   #6
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
*argh double post.. how to delete ..

Last edited by Swakoo; 12-09-2005 at 06:55 AM.
 
Old 12-09-2005, 09:13 PM   #7
jakev383
QmailToaster Developer
 
Registered: Dec 2005
Location: Burlington, NC
Distribution: CentOS, Voyage, Debian, Fedora
Posts: 220

Rep: Reputation: 31
Quote:
Originally Posted by Swakoo
i shut off iptables and both worked flawlessly...

what does the 2 command do?
To be simple, theose 2 commands turn on the ip connection tracking modules. The FTP connection is made, and those modules allow the passive ports to be utilized.
 
Old 12-27-2005, 02:23 AM   #8
Swakoo
Member
 
Registered: Apr 2005
Distribution: Red Hat / Fedora / CentOS
Posts: 508

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by jakev383
To be simple, theose 2 commands turn on the ip connection tracking modules. The FTP connection is made, and those modules allow the passive ports to be utilized.
So I run them to allow passive mode... active mode will still be available right?

How about disabling it.. should I need to disable passive mode, do I run the same commands again?

Just curious: Is there ways to let the server ONLY accept passive mode and not active mode?

What is the prefered/recommended mode of connection for a standard ftp server?

Many thanks, and Merry Christmas!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FTP: active and passive mode problem with some windows client tda71 Linux - Networking 2 06-14-2005 08:31 AM
Konqueror FTP passive/active problem & .netrc perl21 Linux - General 0 03-17-2005 04:43 PM
Not allowing to browse though dial-up connection in Red Hat 9 shows active ssusanm Linux - Newbie 6 02-26-2004 11:44 AM
allowing ftp connection jeanfey Linux - Security 9 05-21-2002 08:01 AM
Active and Passive FTP sancho5 Linux - Networking 3 11-24-2001 09:48 PM


All times are GMT -5. The time now is 09:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration