Bug 111228
| Summary: | When trying to allow port 20 through firewall to support ftp server, it is not honored, thus not allowing clients important ftp functionality. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Joe Dumais <jjejdumais> |
| Component: | iptables | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 1 | CC: | gedetil |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2003-12-03 11:34:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You have to add ip_nat_ftp to IPTABLES_MODULES in /etc/sysconfig/iptables-config or you have to use active ftp data transfer mode in the ftp client. Please have a look at the ftp man page. I believe that should be the ip_conntrack_ftp module, if you're only interested in connection tracking and not using NAT. By the way, that's not in the ftp man page, nor is it in the vsftpd or vsftpd.conf man pages. The only place I found this described was on mailing list archives, after doing lots of web searches. This really needs to be better documented. Furthermore, when you select FTP as part of the firewall configuration in the anaconda setup, it should add the appropriate module(s) to IPTABLES_MODULES for you. (Likewise for other services requiring tracking modules.) |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1) Gecko/20031030 Description of problem: When using setup program to set service:protocol to be allowed through the firewall on an FTP server (both wu-ftpd and vsftpd were tried), the appropriate "accept" line shows up for port 20 (ftp-data) and its associated protocol (i.e., tcp). However, the firewall does not actually allow access to this port (as demonstrated by the inability of a remote client machine to do directory lists/file transfers in ftp nor telnet to port 20). The only way these services are available is if the firewall is completely disabled. Version-Release number of selected component (if applicable): iptables-1.2.8-13 How reproducible: Always Steps to Reproduce: 1. In setup (firewall configuration) allow ftp-data:tcp as special service through the firewall and OK the change. 2. Setup FTPD server (e.g., vsftpd, wu-ftpd). 3. Attempt remote client ftp session. As part of session, try to download a file or do an ls or directory (thus attempting ftp-data on port 20). Actual Results: Received following message at FTP client. "ftp: connect: No route to host" Expected Results: Expected that the firewall would allow service through and allow the directory listing or file transfer. Additional info: When the firewall is completely disabled (using the firewall configuration in setup), the results in ftp are as expected.