Red Hat Bugzilla – Bug 111228
When trying to allow port 20 through firewall to support ftp server, it is not honored, thus not allowing clients important ftp functionality.
Last modified: 2007-11-30 17:10:34 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Description of problem:
When using setup program to set service:protocol to be allowed through
the firewall on an FTP server (both wu-ftpd and vsftpd were tried),
the appropriate "accept" line shows up for port 20 (ftp-data) and its
associated protocol (i.e., tcp). However, the firewall does not
actually allow access to this port (as demonstrated by the inability
of a remote client machine to do directory lists/file transfers in ftp
nor telnet to port 20). The only way these services are available is
if the firewall is completely disabled.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. In setup (firewall configuration) allow ftp-data:tcp as special
service through the firewall and OK the change.
2. Setup FTPD server (e.g., vsftpd, wu-ftpd).
3. Attempt remote client ftp session. As part of session, try to
download a file or do an ls or directory (thus attempting ftp-data on
Actual Results: Received following message at FTP client.
"ftp: connect: No route to host"
Expected Results: Expected that the firewall would allow service
through and allow the directory listing or file transfer.
When the firewall is completely disabled (using the firewall
configuration in setup), the results in ftp are as expected.
You have to add ip_nat_ftp to IPTABLES_MODULES in
/etc/sysconfig/iptables-config or you have to use active ftp data
transfer mode in the ftp client.
Please have a look at the ftp man page.
I believe that should be the ip_conntrack_ftp module, if you're only
interested in connection tracking and not using NAT.
By the way, that's not in the ftp man page, nor is it in the vsftpd or
vsftpd.conf man pages. The only place I found this described was on
mailing list archives, after doing lots of web searches. This really
needs to be better documented.
Furthermore, when you select FTP as part of the firewall configuration
in the anaconda setup, it should add the appropriate module(s) to
IPTABLES_MODULES for you. (Likewise for other services requiring