LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   vsFTPd, firewall, and passive ports - A quick question (https://www.linuxquestions.org/questions/linux-server-73/vsftpd-firewall-and-passive-ports-a-quick-question-743925/)

ddc441 07-30-2009 10:08 AM
vsFTPd, firewall, and passive ports - A quick question
 
We have an Ubuntu 9.04 box that is operating as just an FTP server with vsFTPd.

UFW currently allows ports 20,21,22 (for ssh) denying all others. My question... do we need to set the firewall to allow all the ports in the passive port range for passive transfers?

It seems like a stupid question, but it appears that passive transfers work even with those post not being explicitly open. Hence the confusion.

Thanks!

thinknix 07-30-2009 10:44 AM
Normally you would use the iptables FTP connection tracking module so you don't have to worry about opening high ports for the data channel. My guess is ufw is already using this module for you (you can check with lsmod). As an example, here is how you would allow inbound FTP without ufw. The high-port traffic gets accepted by the ESTABLISHED,RELATED rule.

Code:
/sbin/modprobe ip_conntrack_ftp
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 21 --m state --state NEW -j ACCEPT


All times are GMT -5. The time now is 09:40 AM.