[CentOS] vsftpd, passive xfer, and firewall
Maciej Żenczykowski
maze at cela.pl
Thu Dec 29 22:16:10 UTC 2005
Well autoloading ip_nat_ftp, also loads ip_conntrack_ftp (since ip_nat_ftp
requires it) which means the ftp connection tracker helper is loaded which
means ftp data connections will be considered RELATED connections by the
netfilter stateful firewall. Assuming you have a normal iptables setup of
allowing RELATED and ESTABLISHED connections then it will 'just work'.
What will happen is the normal control connection to the FTP port will be
allowed in by a normal
-A INPUT -p tcp --dport ftp -m state --state NEW -j ACCEPT
rule, and the resulting passive/active data connections will be let in
automagically by being RELATED (as determined by the ip_conntrack_ftp
kernel module) to the already ACCEPTED ftp control connection, and thus
the
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
rule will let the connection through.
Please note, that you only need ip_nat_ftp if you're doing NAT, if not
then you can replace ip_nat_ftp with ip_conntrack_ftp in my suggestion
(which will save the kernel from having to load all NAT related
netfilter stuff).
Please also note that allowing RELATED connections in through a firewall
isn't quite perfectly secure but is (still) the standard way of doing
things (without it is a good deal more trouble and IMHO usually not
really quire worth the effort).
vsftpd should allow passive connections by default and port numbers are no
longer important (the RELATED magic should take care of it).
Assuming your vsftpd server is already working that should be it...
Cheers,
MaZe.
On Thu, 29 Dec 2005, Andrew Rice wrote:
> what will that enable?
> high ports through the firewall for the ftp user?
>
> Andrew
>
>
> | Try adding ip_nat_ftp to the list of autoloaded modules
> |
> | # cat /etc/sysconfig/iptables-config | grep ip_nat_ftp
> | IPTABLES_MODULES="ip_nat_ftp"
> |
> | And restarting the firewall
> | # /etc/init.d/iptables condrestart
> |
> | Cheers,
> | MaZe.
> |
> | On Thu, 29 Dec 2005, Andrew Rice wrote:
> |
> | >Hey there,
> | >
> | >Would anyone care to help me out on where to go for configuring vsftpd for
> | >passive ftp transfer?
> | >im pretty sure that I will have to enable a rule in the firewall..am I
> | >right?
> | >
> | >
> | >
> | _______________________________________________
> | CentOS mailing list
> | CentOS at centos.org
> | http://lists.centos.org/mailman/listinfo/centos
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list