I'm experimenting with a Fedora Core 1 server, and so far, everything is running quite well. However, there appears to be a change in the firewall rules that is causing a bit of a problem for vsftpd. I ran redhat-config-securitylevel to allow for access through port 21, but the firewall is blocking passive connections. I added port 20 as well, but that didn't seem to work. What port do I need to open up? Thanks for any help.
Regards,
Scott
J. Scott Amort wrote:
I'm experimenting with a Fedora Core 1 server, and so far, everything is running quite well. However, there appears to be a change in the firewall rules that is causing a bit of a problem for vsftpd. I ran redhat-config-securitylevel to allow for access through port 21, but the firewall is blocking passive connections. I added port 20 as well, but that didn't seem to work. What port do I need to open up? Thanks for any help.
Regards,
Scott
-- fedora-list mailing list fedora-list@redhat.com http://www.redhat.com/mailman/listinfo/fedora-list
On an ftp server which you want clients to be able to access via passive FTP be sure to insmod ip_conntrack_ftp module, which can be accomplished by adding the following two lines to /etc/modules.conf
# iptables module added for passive ftp access to ftpd on local system above ip_conntrack ip_conntrack_ftp
On Tue, 2003-11-11 at 18:54, Christopher K. Johnson wrote:
On an ftp server which you want clients to be able to access via passive FTP be sure to insmod ip_conntrack_ftp module, which can be accomplished by adding the following two lines to /etc/modules.conf
# iptables module added for passive ftp access to ftpd on local system above ip_conntrack ip_conntrack_ftp
Thanks very much - this worked. However, I would like to know why? This wasn't a problem in RedHat 9 (or at least, it accomplished the same thing a different way). What exactly does this do? Thanks again.
Regards,
Scott
J. Scott Amort wrote:
On Tue, 2003-11-11 at 18:54, Christopher K. Johnson wrote:
On an ftp server which you want clients to be able to access via passive FTP be sure to insmod ip_conntrack_ftp module, which can be accomplished by adding the following two lines to /etc/modules.conf
# iptables module added for passive ftp access to ftpd on local system above ip_conntrack ip_conntrack_ftp
Thanks very much - this worked. However, I would like to know why? This wasn't a problem in RedHat 9 (or at least, it accomplished the same thing a different way). What exactly does this do? Thanks again.
Sorry for the very late reply. Was doing some clean-up today and noticed your message.
The above solution was also necessary on earlier versions of RH, but perhaps your iptables rules were more permissive.
BTW Fedora has a new mechanism for loading needed modules for iptables, include them in an uncommented IPTABLES_MODULES line in /etc/sysconfig/iptables-config If you need more than one module loaded include each of them space delimited inside the double-quotes.
What the "above" directive does is make the ip_conntrack_ftp module be loaded any time the ip_conntrack module is loaded.
What the module does is augment the connection tracking in iptables, to recognize the directive exchanged on an ftp control connection indicating what data connection will be used, and it adds an expected entry for it in the connection tracking table. Thus when the data connection is made it is permitted by a rule like this: -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
users@lists.stg.fedoraproject.org