[svlug] vsftp / firewall, been googling all morning and cant figure it out

[Jeff Frost]

You'll have problems with active mode FTP with the ip_conntrack_ftp module 
loaded.  You can read about the difference between active and passive mode ftp 
here:

http://slacksite.com/other/ftp.html

Now is the point where I recommend sftp or scp or rsync over ssh instead of 
ftp. :-)

On Sat, 21 Jan 2006, Kellner, Peter wrote:

> You are right.  It was passive verse regular mode in my wsftp client.
> Everything seems to work now, but I added the IPTABLES_MODULES line you
> suggest anyhow.  I hope that is OK.
>
> BTW, thanks for not forwarding the password I sent around.
>
> Peter Kellner
> http://peterkellner.net
>
> -----Original Message-----
> From: Jeff Frost [mailto:jeff at frostconsultingllc.com]
> Sent: Saturday, January 21, 2006 11:28 AM
> To: Kellner, Peter
> Cc: SVLUG
> Subject: RE: [svlug] vsftp / firewall,been googling all morning and cant
> figure it out
>
> It's probably a passive mode vs regular mode ftp problem.
>
> You probably need to load some of the ftp iptables modules.  You can do
> that
> in /etc/sysconfig/iptables-config on RH/Fedora distros like so:
>
> IPTABLES_MODULES="ip_conntrack_ftp ip_nat_ftp ip_nat_irc
> ip_conntrack_irc"
>
> The first two are likely what you want.  Then just service iptables
> restart
>
> BTW, don't take the list off of the Cc list, that way someone else with
> a
> better idea can reply.
>
> On Sat, 21 Jan 2006, Kellner, Peter wrote:
>
>> Now, when I test it with my ftp command prompt it works fine but not
>> with wsftp.  Let me look into that before I waste more of your time
>>
>> Peter Kellner
>> http://peterkellner.net
>>
>> -----Original Message-----
>> From: Jeff Frost [mailto:jeff at frostconsultingllc.com]
>> Sent: Saturday, January 21, 2006 11:13 AM
>> To: Kellner, Peter
>> Subject: RE: [svlug] vsftp / firewall,been googling all morning and
> cant
>> figure it out
>>
>> If you're on the ftp server, what happens if you issue a reverse dns
>> lookup
>> like so:
>>
>> host <ip address of ftp client>
>> host 69.226.242.241
>>
>> for instance?
>>
>> On Sat, 21 Jan 2006, Kellner, Peter wrote:
>>
>>> Just the connection
>>>
>>> Peter Kellner
>>> http://peterkellner.net
>>>
>>> -----Original Message-----
>>> From: jeff at glacier.frostconsultingllc.com
>>> [mailto:jeff at glacier.frostconsultingllc.com] On Behalf Of Jeff Frost
>>> Sent: Saturday, January 21, 2006 10:00 AM
>>> To: Kellner, Peter; 'SVLUG'
>>> Subject: RE: [svlug] vsftp / firewall,been googling all morning and
>> cant
>>> figure it out
>>>
>>> Peter, is it horribly slow just getting the initial connection, or
>>> horribly
>>> slow during transfers as well as setting up the initial connection?
>>>
>>> ----
>>> Jeff Frost, Owner       <jeff at frostconsultingllc.com>
>>> Frost Consulting, LLC   http://www.frostconsultingllc.com/
>>> Phone: 650-780-7908     FAX: 650-649-1954
>>>
>>>
>>> -----Original Message-----
>>>
>>> I've installed a Centos 4 in a server configuration and it installed
>> the
>>> firewall (iptables I think) and I told it to let ftp connections
>>> through.  It works but the connection is horrible slow.  I think it
> is
>> a
>>> firewall reverse dns lookup problem.
>>>
>>> I'd appreciate if someone either knows the answer on how to fix this,
>> or
>>> can point me at better sources than I have found.  This server is at
> a
>>> colo and I want to make it secure so I don't want to disable the
>>> firewall.
>>>
>>> Thanks.
>>>
>>> Peter Kellner
>>> http://peterkellner.net
>>>
>>>
>>> _______________________________________________
>>> svlug mailing list
>>> svlug at lists.svlug.org
>>> http://lists.svlug.org/lists/listinfo/svlug
>>>
>>>
>>>
>>>
>>
>>
>
>

-- 
Jeff Frost, Owner 	<jeff at frostconsultingllc.com>
Frost Consulting, LLC 	http://www.frostconsultingllc.com/
Phone: 650-780-7908	FAX: 650-649-1954