[CentOS] FirewallD and FTP passive mode

Steve Clark steve.clark at netwolves.com
Fri May 6 12:18:10 UTC 2016 

On 05/05/2016 09:15 AM, Marcin Trendota wrote:
> Howdy
>
> I'm trying to run FTP server behind firewall. And i can't enable passive
> mode from the Internet. There are plenty howtos but there aren't many
> with my combination.
>
> For now i have configured port forwarding and ftp server itself.
>
> On the router:
> # firewall-cmd --list-all --zone=external
> external (active)
>    interfaces: enp3s1
>    sources:
>    services: openvpn ssh
>    ports: 1194/tcp 2666/tcp 88/tcp
>    masquerade: yes
>    forward-ports: port=21:proto=tcp:toport=:toaddr=10.0.32.7
>          port=10090-10100:proto=tcp:toport=:toaddr=10.0.32.7
>          port=88:proto=tcp:toport=80:toaddr=10.0.32.23
>    icmp-blocks:
>    rich rules:
>
> I also did:
> # modprobe ip_conntrack_ftp ports=10090,10100
>
>
> excerpt form vsftpd.conf on the FTP server:
> pasv_enable=Yes
> pasv_min_port=10090
> pasv_max_port=10100
> pasv_addr_resolve=Yes
Do you have pasv_addr set to the hostname of the server?
pasv_address
               Use this option to override the IP address that vsftpd will advertise in response to
               the PASV command. Provide a numeric IP address, unless pasv_addr_resolve is enabled,
               in which case you can provide a hostname which will be  DNS  resolved  for  you  at
               startup.

               Default: (none - the address is taken from the incoming connected socket)

> >From LAN or through VPN it works. But on the public address i can only
> log in, cannot turn into passive mode:
>
> Connected to ftp1.domain.com (xxx.xxx.xxx.xxx).
> 220 (vsFTPd 2.2.2)
> Name (ftp1.domain.com:root): user
> 331 Please specify the password.
> Password:
> 230 Login successful.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> ls
> 227 Entering Passive Mode (10,0,32,7,39,111).
> ftp: connect: Connection timed out
>
> Also this IP looks weird - shouldn't it be public IP?
>
> What am i doing wrong?
> TIA.
>


-- 
Stephen Clark
*NetWolves Managed Services, LLC.*
Director of Technology
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.clark at netwolves.com
http://www.netwolves.com

More information about the CentOS mailing list