Troyston Campano wrote:
On my FC3 machine I run a FTP server (vsftpd). I also run a firewall
(iptables).
I add a rule to my /etc/sysconfig/iptables file:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
ACCEPT
From my Windows box, I use WS_FTP to connect and all is well….except
for the speed of connection. When I turn the firewall off, I can connect
within milliseconds. However, when I turn the firewall on it can still
connect but it can take up to 20 seconds to make a connection and give
my directory listing.
It sounds like WS_FTP is initially trying passive-mode FTP, in which the
server tells the client a port number (not port 20 or 21) to use for the
data connection. This port number is unknown to your firewall, and it
does not allow the connection. The FTP client eventually times out and
tries active-mode FTP, in which the _server_ initiates the data
connection, and this works.
You need to install a connection tracking module that knows how to look
inside FTP control packets and find the port number to be used. Try
running this command (as root):
modprobe ip_conntrack_ftp
If that solves your problem, you can make the change permanent by
editing /etc/sysconfig/iptables-config . Near the top, you'll find
a line:
IPTABLES_MODULES=""
Change this to read:
IPTABLES_MODULES="ip_conntrack_ftp"
Now the needed module will be installed whenever the iptables
service is started.
There are other solutions:
a) Make your firewall REJECT, rather than DROP, the passive-mode
connection attempt. That way the client won't have to wait for
a timeout.
b) Tell your WS_FTP client to use only active-mode FTP, but that
can run into the same problem if you start running a firewall
on the client machine, or if the client tries to run an FTP
session through a NAT gateway.
The _right_ solution is to install the needed tracking module.
--
Bob Nichols rnichols42@xxxxxxxxxxx
