LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-25-2003, 04:55 PM   #1
Bug Boy
LQ Newbie
 
Registered: Apr 2003
Posts: 1

Rep: Reputation: 0
vsftp and hardware firewall


OK kinda new at this. Just enought to be dangourous.
Fresh install of redhat 9
Have a SMB baricade hardware firewall.
Ports 80,20,21 open to the outside and ported to my linux box at 192.168.2.14
HTTP apache server works fine this way. Trying to get an FTP server up so other users can modify the website.
I can connect to the server from another client of this side of the firewall no problems. When I try to connect to the server using the real world IP it connects then I get the error from ws_ftp
227 Entering Passive Mode (192,168,2,14,21,52)
connecting data channel to 192.168.2.14:5428
Substituting connection address 24.XXX.XXX.XXX for private address 192.168.2.14 from PASV
connection refused; the server would not accept an FTP connection.
PORT 192,168,2,35,4,82
500 Illegal PORT command.
Port failed 500 Illegal PORT command.
Users from the internet get similar things. The client connects but then fails after it goes to passive mode.

Here is the contents of my vsftpd.conf file

anonymous_enable=NO
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
nopriv_user=ftpsecure
ftpd_banner=Welcome to Calder's FTP service.
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES

and my vsftp file

disable = no
socket_type = stream
wait = no
user = root
server = /usr/local/sbin/vsftpd
per_source = 5
instances = 10
nice = 10
banner_fail = /etc/vsftpd.busy_banner
log_on_success += PID HOST DURATION
log_on_failure += HOST

Thanks
Calder
 
Old 08-31-2003, 08:44 AM   #2
bjchip
LQ Newbie
 
Registered: Aug 2003
Location: In Transit
Distribution: Red Hat 9, Red Hat 8
Posts: 4

Rep: Reputation: 0
Almost exactly the same but Wxp client works

OK... I have the same issue. I installed RH9 on one computer with
an up 2 date RH8 on my host. I persuaded the host to function using RH8 vsftpd and connected from the Windows XP box (which is actually a dual-boot system). This was successful.

Now I am attempting to connect from the RH9 client on the same box. So it is NOT a hardware issue, and it is not certainly a server issue, though it could be. It is most likely something on the client side. The connection succeeds through the login and then fails to handle the pasv mode connection for data.

respectfully
BJ
 
Old 08-31-2003, 11:02 AM   #3
Looking_Lost
Senior Member
 
Registered: Apr 2003
Location: Eire
Distribution: Slackware 12.0, OpenSuse 10.3
Posts: 1,120

Rep: Reputation: 45
It's most likely a firewall issue, have to open up port 20 too, take a peek at

man vsftpd.conf


Quote:
connect_from_port_20=YES
That's my guess, open up port 20 and see if it helps.
 
Old 08-31-2003, 01:11 PM   #4
bjchip
LQ Newbie
 
Registered: Aug 2003
Location: In Transit
Distribution: Red Hat 9, Red Hat 8
Posts: 4

Rep: Reputation: 0
its the iptables

It's definitely a problem in the iptables config, and I am working on that setup now. It appears that the client side iptables isn't accepting the connect from the server on the random-high port. I have found several sources of config info on the web which might work, but the lokkit on RH9 doesn't appear to allow for manual config of the tables. I have to find out how to do THAT properly before I can really use the tables. Annoying. I should be able to use vi to mod the config to be what it needs to be, but we are trying to automate this stuff and RH has it tied up with the automatic security config.

Turning off iptables on the server makes it work. I am trying to be certain that this is safe to do. The server is ONLY a server in the context of the zone behind a linksys nat installation.

I will continue to work on it a while, I need to know how to do this sort of thing. OTOH, it is hard to do and I have found that things that are really hard (as this appears to be) are likely to be things we shouldn't be doing. I don't NEED to serve ftp to the world, just to the private subnet 192.168.xxx.yyy. I can accomplish my tasks by configuring samba for that same region and by using sftp and scp and nfs locally. In other words. Perhaps I should rely on my translation router to do translation and maybe not be dealing with this. I almost know enough to evaluate the problem properly now.

respectfully
BJ
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hardware Firewall - Will this work? phillips321 Linux - Networking 1 02-24-2005 08:16 AM
I am buying a hardware firewall Ephracis Linux - Networking 3 11-23-2004 01:04 PM
Hardware router/firewall? drisay Slackware 5 10-01-2004 09:26 PM
Hardware or software firewall? ScreeminChikin Linux - Security 5 10-05-2002 05:28 AM
Firewall: hardware or software sluggo Linux - Security 5 01-20-2002 01:37 PM


All times are GMT -5. The time now is 09:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration