Hi all

I'm hoping someone can help me with the firewall settings on my Linode. I'm running Redhat 9 small. FTP is the standard vsftpd. I'm struggling to get the firewall settings right to allow a passive FTP connection. I'm setting things with lokkit which shows a character based 'graphical' UI. I assume this is just a friendly way of editing /etc/sysconfig/iptables. I haven't directly edited iptables yet but perhaps I need to.

In lokkit, I leave the security level 'high' and then go to 'Customize' and check the main protocols I want and add several more to the 'Other ports line'. I add pop3:tcp imap:tcp and a few others. The RH docs suggest that checking 'FTP' is enough to allow passive FTP but not Active. It seems to achieve the opposite for me. Active works fine. Passive works if I have 'No Firewall'.

I don't know much about it but I wonder if its something to do with port 20. I have now added ftp-data:tcp to the 'Other Ports' but that hasn't helped. The client hangs when doing an ls after 'Entering Passive Mode' and then 'Connecting to' a five digit port number.

The lines which I think are relevant in iptables are:

-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 20 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 21 --syn -j ACCEPT

If you're wondering why I'm even bothering with FTP rather than the more secure SFTP via SSH its because I have a few friends / customers who just need to upload html files and vsftpd allows me to easily define a fake root to keep them in their own area. I don't think I can do that effectively with ssh.

Thanks
Ross

You need the ip_conntrack_ftp module and possibly the nat_conntrack_ftp module. I'm not sure about the exact names, but the components are conntrack and ftp.

Basically, FTP is a complicated protocol in the sense that it has two connections, one control and one data. And you need special logic to keep track of this and handle it, this is where the connection tracking modules come into play. Load them up and everything will work.

Thanks. Since I hadn't had a reply here, I posted the same thing to a newsgroup yesterday and someone said to just open all ports above 1023. I've done that and it seems to work. I don't know if there is a more secure way of doing it.

I'm a bit out of my depth when it comes to modules. I notice /proc/net/ip_conntrack exists so I guess I must have that module.

Ross

Opening all ports above 1023 is the simple and insecure way to do it. It's not exactly equivalent to having no firewall but it's very close.

Connection tracking (and thus /proc/net/ip_conntrack) is on if you have a rule with state checks, the most common is a rule to check for ESTABLISHED and RELATED states (do iptables -nvL to see if you have such a rule).

Run: modprobe ip_conntrack_ftp
to load the FTP connection tracking module. And remove the rule to open all ports above 1023, this should make the firewall allow FTP connections and still keep you safe most of the time.

You may also want: modprobe ip_conntrack_irc
to enable IRC connections for DCC chats and file transfers.

Thanks again but modprobe ip_conntrack_ftp returns:

modprobe: Can't open dependencies file /lib/modules/2.4.23-linode16-6um/modules.dep (No such file or directory)

Isn't that because were can't load our own modules with Linode? I don't have any ESTABLISHED and RELATED rules.

Since the Linode is just a single (virtual) machine and I control what's listening and what's not then I wonder how important the firewall really is anyway.

Ross

You can also try: insmod ip_conntrack_ftp
You might need to change into the modules directory, try: locate ip_conntrack_ftp
It is likely to be in: /lib/modules/2.4.23-linode16-6um/kernel/net/ipv4/netfilter/

I have no idea regarding the problem above, maybe running: depmod -a
will cure it. I don't have a linode to test it. (I do consider getting one once my current contract is finished - paid for a year in advance).

If you don't have an ESTABLISHED,RELATED rule, then connection tracking is not likely to work for you anyway.

If you have an iron grip on what is running and you made sure that all services you don't want accessed from outside are locked down. Then you don't need a firewall. You can see what services are listening with: netstat -tul

A search for 'modprobe' on these forums shows that loadable modules is one of the very few things that can't be done with a Linode so therefore that dependency file missing is normal. If modules were allowed then it would allow anyone to effectively run arbitary code on the host o/s and create a big security problem.

I don't know enough to tell if ip_conntrack_ftp is compiled in and therefore doesn't need to be loaded or even if that is a meaningful question to ask.

Anyway, it doesn't look like I have much of a security issue even without a firewall.

Ross