Bug 111228 - When trying to allow port 20 through firewall to support ftp server, it is not honored, thus not allowing clients important ftp functionality.
Summary: When trying to allow port 20 through firewall to support ftp server, it is no...
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables   
(Show other bugs)
Version: 1
Hardware: i586
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2003-12-01 00:25 UTC by Joe Dumais
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-12-03 11:34:28 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Joe Dumais 2003-12-01 00:25:27 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)

Description of problem:
When using setup program to set service:protocol to be allowed through
the firewall on an FTP server (both wu-ftpd and vsftpd were tried),
the appropriate "accept" line shows up for port 20 (ftp-data) and its
associated protocol (i.e., tcp).  However, the firewall does not
actually allow access to this port (as demonstrated by the inability
of a remote client machine to do directory lists/file transfers in ftp
nor telnet to port 20).  The only way these services are available is
if the firewall is completely disabled.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. In setup (firewall configuration) allow ftp-data:tcp as special
service through the firewall and OK the change.
2. Setup FTPD server (e.g., vsftpd, wu-ftpd).
3. Attempt remote client ftp session.  As part of session, try to
download a file or do an ls or directory (thus attempting ftp-data on
port 20).

Actual Results:  Received following message at FTP client.
"ftp: connect: No route to host"

Expected Results:  Expected that the firewall would allow service
through and allow the directory listing or file transfer.

Additional info:

When the firewall is completely disabled (using the firewall
configuration in setup), the results in ftp are as expected.

Comment 1 Thomas Woerner 2003-12-03 11:34:28 UTC
You have to add ip_nat_ftp to IPTABLES_MODULES in
/etc/sysconfig/iptables-config or you have to use active ftp data
transfer mode in the ftp client.

Please have a look at the ftp man page.

Comment 2 Gilbert E. Detillieux 2004-06-03 13:17:26 UTC
I believe that should be the ip_conntrack_ftp module, if you're only
interested in connection tracking and not using NAT.

By the way, that's not in the ftp man page, nor is it in the vsftpd or
vsftpd.conf man pages.  The only place I found this described was on
mailing list archives, after doing lots of web searches.  This really
needs to be better documented.

Furthermore, when you select FTP as part of the firewall configuration
in the anaconda setup, it should add the appropriate module(s) to
IPTABLES_MODULES for you.  (Likewise for other services requiring
tracking modules.)

Note You need to log in before you can comment on or make changes to this bug.