Skip to main content

Customer have problem doin FTP

Comments

6 comments

  • mtindor

    I think for active you need TCP 20/21 both open.   With Passive you only need TCP 21 open.   If it worked when you disable the firewall, it's likely because TCP 20 was then available as the data channel in active mode.

    The FTP client that your customer is using has to be VERY ancient.   Passive Mode has been supported for ages in just about everything that acts as an FTP client.  You really should think about just telling that client that they need to use a new FTP client.

    0
  • Benito

    Yes, don't even tell me. It is a visual fox pro library that does FTP on an old system. I try to support him but it seems impossible. I can't find a way to get it running without disabling the server's firewall.

    In CSF I have ports 20 and 21 open. In addition to the range for passive mode.

    0
  • mtindor

    TCP 21 is used in active connections for sending control data

    TCP 20 is used in active connections for sending the data (files)

    Are you sure you have 20 and 21 both listed in your TCP_IN line in CSF?   Did you restart CSF afterwards?

    If your customer still cannot achieve a connection at that point, I don't what else to suggest.

    Mike

    0
  • Benito

    Yes, I understand that the problem should be on his side. What intrigues me is why it works when we deactivate CSF.

    Thanks

    0
  • Benito

    Hey! Have an update on this.

    I found that we are blocking our customer FTP but I don't know why.

    Port 20 IN and OUT is opened in CSF.

    Jul 3 19:33:16 rivendell kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=SERVER_IP DST=FTPCLIENT_IP LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=11004 DF PROTO=TCP SPT=20 DPT=60028 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0
    Jul 3 19:33:17 rivendell kernel: Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=SERVER_IP DST=FTPCLIENT_IP LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=11005 DF PROTO=TCP SPT=20 DPT=60028 WINDOW=29200 RES=0x00 SYN URGP=0 UID=0 GID=0
    0
  • Benito

    I fix this problem adding this to /etc/csf/csf.allow

    tcp|out|s=20|s=SERVER_IP # active ftp port

    Not sure if this will be insecure.

    0

Please sign in to leave a comment.