On Sun, 2005-04-03 at 09:06, Justin Zygmont wrote:
> On Sun, 3 Apr 2005, Robert Slade wrote:
>
> > On Sat, 2005-04-02 at 22:33, Justin Zygmont wrote:
> >> On Sat, 2 Apr 2005, Markku Kolkka wrote:
> >>
> >>> Justin Zygmont kirjoitti viestissään (lähetysaika lauantai, 2.
> >>> huhtikuuta 2005 12:23):
> >>>> I know the problem is because a nonexistent iptables rule, i'm
> >>>> just at a loss as to what the missing rules should look like.
> >>>> The only thing that is different in this case is that I need
> >>>> to use port 221 for FTP instead of 21,
> >>>
> >>> That's what breaks everything. The FTP control connection must be
> >>> on server port 21. Using a different port violates RFC 959 and
> >>> ip_conntrack_ftp doesn't watch any other port for FTP traffic.
> >>
> >> are you sure ftp_conntrack is even needed? I thought that's usually used
> >> just for stateful routing through a server, and not to connect to one from
> >> the outside. Also when I shut iptables down, it works, I can get a ftp
> >> listing.
> >>
> >> ______________________________________________________________________
> > Yes it does. ftp_contrack etc monitors the trafic on port 21 and
> > dynamically opens the higher no (data) ports that the control on port 21
> > asks for. Turning off iptables just opens all the ports.
> >
> > If you are using vsftp, then you can set the ports used by passive ftp
> > and then open them in iptables, but this is a risk as they can be
> > abused. This may be possible with other ftp servers.
>
> then wouldn't this mean that FTP on regular port 21 would not work at all
> unless you had ftp_conntrack loaded? Because i've ran FTP servers before
> without it, and it worked fine. Do you happen to remember this option in
> vsftpd? I don't recall seeing it.
>
> Thanks for the replies everyone..
ip_tables will load the various modules too, it maybe that ftp_conntrack
etc was loaded by iptables. ISTR that this is the default.
>From man vsftp:
pasv_max_port
The maximum port to allocate for PASV style data connections.
Can be used to specify a narrow port range to assist
firewalling.
Default: 0 (use any port)
pasv_min_port
The minimum port to allocate for PASV style data connections.
Can be used to specify a narrow port range to assist
firewalling.
Default: 0 (use any port)
Rob
