[CentOS] vsftpd, passive xfer, and firewall

Maciej Żenczykowski maze at cela.pl
Thu Dec 29 22:16:10 UTC 2005 

Well autoloading ip_nat_ftp, also loads ip_conntrack_ftp (since ip_nat_ftp 
requires it) which means the ftp connection tracker helper is loaded which 
means ftp data connections will be considered RELATED connections by the 
netfilter stateful firewall.  Assuming you have a normal iptables setup of 
allowing RELATED and ESTABLISHED connections then it will 'just work'.

What will happen is the normal control connection to the FTP port will be 
allowed in by a normal
-A INPUT -p tcp --dport ftp -m state --state NEW -j ACCEPT
rule, and the resulting passive/active data connections will be let in 
automagically by being RELATED (as determined by the ip_conntrack_ftp 
kernel module) to the already ACCEPTED ftp control connection, and thus
the
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
rule will let the connection through.

Please note, that you only need ip_nat_ftp if you're doing NAT, if not 
then you can replace ip_nat_ftp with ip_conntrack_ftp in my suggestion 
(which will save the kernel from having to load all NAT related 
netfilter stuff).

Please also note that allowing RELATED connections in through a firewall 
isn't quite perfectly secure but is (still) the standard way of doing 
things (without it is a good deal more trouble and IMHO usually not 
really quire worth the effort).

vsftpd should allow passive connections by default and port numbers are no 
longer important (the RELATED magic should take care of it).

Assuming your vsftpd server is already working that should be it...

Cheers,
MaZe.

On Thu, 29 Dec 2005, Andrew Rice wrote:

> what will that enable?
> high ports through the firewall for the ftp user?
>
> Andrew
>
>
> | Try adding ip_nat_ftp to the list of autoloaded modules
> |
> | # cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
> | IPTABLES_MODULES="ip_nat_ftp"
> |
> | And restarting the firewall
> | # /etc/init.d/iptables condrestart
> |
> | Cheers,
> | MaZe.
> |
> | On Thu, 29 Dec 2005, Andrew Rice wrote:
> |
> | >Hey there,
> | >
> | >Would anyone care to help me out on where to go for configuring vsftpd for
> | >passive ftp transfer?
> | >im pretty sure that I will have to enable a rule in the firewall..am I
> | >right?
> | >
> | >
> | >
> | _______________________________________________
> | CentOS mailing list
> | CentOS at centos.org
> | http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

More information about the CentOS mailing list