Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Ftp behind firewall/router

Status
Not open for further replies.
Grub3r

Grub3r

Technical User
Aug 17, 2006
49
NO
Hello guy,

having this problem here:

running vsftpd on a machine behind fc5 firewall/router.

from lan everything works fine passive and active and encryption.

from wan only passive ftp work and without encryption.

active gives me list error same as with encryption both with active and passive.

The only thing that works is passive without encryption.

have both port 20 and 21 forwarded to firewall/router and further to an address on the inside.

is there something I'm missing?
would post any info if needed.


Any help would be appreciated.

Regards
Dan.

Regards Dan
 
Sort by date Sort by votes
I'm not expert enough to answer with the necessary authority, but in IPTables firewalls (maybe, maybe not F5) there is a concept of stateful connections that must be permitted for services such as FTP. Leaving the port open is one thing, allowing a session to have a history between 20 and 21 is another.

IPTables has a conn_track module for this. Documentation for that might give you a tip to pursue on the firewall.

HTH.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
Hi and thanks for the answer.

I have ran the command modprobe ip_conntrack_ftp
but with no result.

can I run ftp server in active mode?

I can see that I'm logged on ftp with encryption but list command doesn't work. I assume there is something wrong with data port?

Is there something special I have to do with iptables to allow ftp from behind firewall/router?

Isn't there anybody else with ftp behind router/firewall problem?


Many thanks, Dan.

Regards Dan
 
Upvote 0 Downvote
Hi again,

Doesn't modprobe loads a module into kernel and insmod installs module?

What difference does it make if I use insmod instead of modprobe?

As I say passive works fine but not with encryption, why? does encryption need to use port 20(data)? I can login but list command doesn't go through.

The optimal is to use active with encryption. Is it possible behind a router that's behind ISP's ADSL modem?
internet->ADSL modem->fc router/firewall->ftp server

I use vsftpd does that mean I should enable something else in vsftpd config files?


Thanks.

Regards Dan
 
Upvote 0 Downvote
I don't use Secure/Encrypted FTP since SCP/SFTP exist.

However, from /etc/services I see that this service is defined on my box:

sftp 115/tcp

Therefore I conclude that "encrypted ftp" as you are requesting is going to use another port than what you've allowed. Think so?

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
Hello there,
Just saw through the services on the system.
I was assuming that active ftp uses both port 20 and 21. but which protocols? both tcp and udp?

Code: 
ftp-data        20/tcp
ftp-data        20/udp
# 21 is registered to ftp, but also used by fsp
ftp             21/tcp
ftp             21/udp          fsp fspd

Because I only forwarded tcp protocols on ports 20 and 21 to the ftp server.

The second thing is that i can see sftp with port 115 on both tcp and udp and also this:
Code: 
ftps-data       989/tcp                         # ftp protocol, data, over TLS/SSL
ftps-data       989/udp                         # ftp protocol, data, over TLS/SSL
ftps            990/tcp                         # ftp protocol, control, over TLS/SSL
ftps            990/udp                         # ftp protocol, control, over TLS/SSL

none of thise(encryption) ports are open(I haven't opened single one of them).

I had made a certificate with opelssl to use with vsftpd.

My question is, how can I access the ftp from LAN on both passive and active and with encryption on both modes if I haven't opened mentioned encryption ports? And the only ports I have opened are: tcp port 20 and 21?

Regards Dan
 
Upvote 0 Downvote
Do you have any firewall rules to govern access from LAN? Often an enterprise trusts the LAN side of the firewall to reach servers inside the firewall without restriction.

D.E.R. Management - IT Project Management Consulting
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

nyck
  • Locked
  • Question
RHEL6.3 firewall issue
Replies
3
Views
113
nyck
nyck
Argonto
  • Locked
  • Question
Accessing Website behind firewall through another website on the same network
Replies
1
Views
77
normntwrk
normntwrk
fzx5v0
  • Locked
  • Question
IPTables outgoing firewall rules
Replies
1
Views
101
minicompbx
minicompbx
giovanni4000
  • Locked
  • Question
Accessing LAMP application behind VPN 1
Replies
8
Views
117
IPGuru
IPGuru
marcq
  • Locked
  • Question
Some questions related to ftp access. 2
Replies
3
Views
97
raggmopp
raggmopp

Part and Inventory Search

Sponsor

Back
Top