Pure-ftpd collected with YAST from the Suse repository

stamcose · 12-06-2009, 11:54 PM

My start configuration as set up at booting:

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2032/portmap
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      2358/xinetd
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2372/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      2172/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2289/master
tcp        0      0 127.0.0.1:7572          127.0.0.1:111           TIME_WAIT   -
tcp        0      0 :::22                   :::*                    LISTEN      2372/sshd
tcp        0      0 ::1:631                 :::*                    LISTEN      2172/cupsd
tcp        0      0 ::1:25                  :::*                    LISTEN      2289/master

ftp access not possible, no trace in /var/log/xinetd.log,/var/log/messages

Stopping xinetd and starting pure-ftpd:

Code:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      2032/portmap
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN      2941/pure-ftpd (SER
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      2372/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      2172/cupsd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      2289/master
tcp        0      0 :::21                   :::*                    LISTEN      2941/pure-ftpd (SER
tcp        0      0 :::22                   :::*                    LISTEN      2372/sshd
tcp        0      0 ::1:631                 :::*                    LISTEN      2172/cupsd
tcp        0      0 ::1:25                  :::*                    LISTEN      2289/master

ftp access not possible, no trace in /var/log/messages

Conclusion:

It is not really a problem with xinetd/pure-ftpd, the problem is upstream with the basic tcp handling!

stamcose · 12-07-2009, 09:00 AM

PROBLEM SOLVED!

It is indeed the firewall that messes it up! Switch off the firewall (with YAST interactive facility) and it works!

Let firewall run but allow pure-ftpd FROM EXTERNAL ZONE (with YAST interactive facility) and it works!

But the firewall is supposed (by the active default setting) to not protect from internal zone. (from ip 192.168.0.*)

IT IS THEREFORE A BUG IN THE FIREWALL

Should be corrected (or warned for!) in connection with the "get software" function! I spent a lot of time with this!

stamcose · 12-08-2009, 03:09 AM

Sorry, it is not a bug in the Firewall!

With the default Firewall setting from the installation CD "eth0" is external zone. There is no "internal zone"!

With the ftp server in a private LAN behind a router with Firewall towards Internet the SUSE Firewall should logically be switched off if you consider the LAN as a "safe internal zone". If not leave the SUSE Firewall on and allow the ftp service explicitly.

Sure, on the private LAN all traffic has IP adress 192.168.0.*!

jschiwal · 12-09-2009, 09:28 AM

If you run the "yast2 firewall" config tool, you can assign which zone an interface is assigned to in the "interfaces" zone. Under the "allow services" page a button on the bottom allows you to "protect firewall from internal zone". The default is to have this unselected. The ports are not blocked for the internal zone in that case. I usually opt to have this selected and to allow services such as nfs & samba enabled explicitly for the internal zone and only ssh for the external zone. I use external zone for the wireless interface and internal for eth0.

I'm glad you got it working!