Here is the latest stuff? And to me, it looks like the ports 20 and 21 should be open, but nmapfe is showing that 20 is closed? The firewall zones public.xml seems to show it is opened, and the iptables-save output seems to show it short be opened? So not clear what is making it show up as closed? Appears it only works if firewalld and iptables are turned off on both server machine and client machine? The nmapfe showing the data port as closed? Though the public.xml and iptables-save show it to be opened? Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-08 15:32 ChST NSE: Loaded 138 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 15:32 Completed NSE at 15:32, 0.00s elapsed Initiating NSE at 15:32 Completed NSE at 15:32, 0.00s elapsed Initiating ARP Ping Scan at 15:32 Scanning 192.168.7.218 [1 port] Completed ARP Ping Scan at 15:32, 0.01s elapsed (1 total hosts) Initiating SYN Stealth Scan at 15:32 Scanning d7r.guamcc.net (192.168.7.218) [1000 ports] Discovered open port 21/tcp on 192.168.7.218 Discovered open port 22/tcp on 192.168.7.218 Completed SYN Stealth Scan at 15:32, 4.04s elapsed (1000 total ports) Initiating Service scan at 15:32 Scanning 2 services on d7r.guamcc.net (192.168.7.218) Completed Service scan at 15:32, 0.05s elapsed (2 services on 1 host) Initiating OS detection (try #1) against d7r.guamcc.net (192.168.7.218) NSE: Script scanning 192.168.7.218. Initiating NSE at 15:32 Completed NSE at 15:32, 1.34s elapsed Initiating NSE at 15:32 Completed NSE at 15:32, 0.00s elapsed Nmap scan report for d7r.guamcc.net (192.168.7.218) Host is up (0.00021s latency). Not shown: 976 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd 3.0.3 | ftp-anon: Anonymous FTP login allowed (FTP code 230) |_Can't get directory listing: ERROR 22/tcp open ssh OpenSSH 7.2 (protocol 2.0) | ssh-hostkey: | 2048 ef:3b:11:09:39:06:23:4d:df:aa:3a:e1:6d:e9:b9:84 (RSA) |_ 256 04:f2:0a:b8:6f:15:59:5b:8b:dc:d9:de:3c:2b:64:99 (ECDSA) 5900/tcp closed vnc 5901/tcp closed vnc-1 5902/tcp closed vnc-2 5903/tcp closed vnc-3 5904/tcp closed unknown 5906/tcp closed unknown 5907/tcp closed unknown 5910/tcp closed cm 5911/tcp closed cpdlc 5915/tcp closed unknown 5922/tcp closed unknown 5925/tcp closed unknown 5950/tcp closed unknown 5952/tcp closed unknown 5959/tcp closed unknown 5960/tcp closed unknown 5961/tcp closed unknown 5962/tcp closed unknown 5963/tcp closed indy 9000/tcp closed cslistener 9001/tcp closed tor-orport MAC Address: 44:8A:5B:07:2A:82 (Micro-Star INT'L) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.10 - 4.1 Uptime guess: 0.004 days (since Thu Sep 8 15:27:31 2016) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: All zeros Service Info: OS: Unix TRACEROUTE HOP RTT ADDRESS 1 0.21 ms d7r.guamcc.net (192.168.7.218) NSE: Script Post-scanning. The public.xml file /etc/firewalld/zones <?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="mdns"/> <service name="ssh"/> <service name="dhcpv6-client"/> <service name="ftp"/> <service name="vnc-server"/> <port port="20" protocol="udp"/> <port port="9000" protocol="udp"/> <port port="9001" protocol="udp"/> <port port="21" protocol="tcp"/> <port port="5979" protocol="tcp"/> <port port="20" protocol="tcp"/> <port port="21" protocol="udp"/> <port port="9000" protocol="tcp"/> <port port="9001" protocol="tcp"/> </zone> The iptables-save # Generated by iptables-save v1.4.21 on Thu Sep 8 15:38:32 2016 *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4:304] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Thu Sep 8 15:38:32 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 15:38:32 2016 *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [4:304] :OUTPUT_direct - [0:0] :PREROUTING_direct - [0:0] -A PREROUTING -j PREROUTING_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Thu Sep 8 15:38:32 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 15:38:32 2016 *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4:304] :POSTROUTING ACCEPT [4:304] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i enp2s0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Thu Sep 8 15:38:32 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 15:38:32 2016 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [4:304] :POSTROUTING ACCEPT [4:304] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_public - [0:0] :POST_public_allow - [0:0] :POST_public_deny - [0:0] :POST_public_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_public - [0:0] :PRE_public_allow - [0:0] :PRE_public_deny - [0:0] :PRE_public_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN -A POSTROUTING -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535 -A POSTROUTING -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o enp2s0 -g POST_public -A POSTROUTING_ZONES -g POST_public -A POST_public -j POST_public_log -A POST_public -j POST_public_deny -A POST_public -j POST_public_allow -A PREROUTING_ZONES -i enp2s0 -g PRE_public -A PREROUTING_ZONES -g PRE_public -A PRE_public -j PRE_public_log -A PRE_public -j PRE_public_deny -A PRE_public -j PRE_public_allow COMMIT # Completed on Thu Sep 8 15:38:32 2016 # Generated by iptables-save v1.4.21 on Thu Sep 8 15:38:32 2016 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [4:304] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_public - [0:0] :FWDI_public_allow - [0:0] :FWDI_public_deny - [0:0] :FWDI_public_log - [0:0] :FWDO_public - [0:0] :FWDO_public_allow - [0:0] :FWDO_public_deny - [0:0] :FWDO_public_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_public - [0:0] :IN_public_allow - [0:0] :IN_public_deny - [0:0] :IN_public_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -i virbr0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i virbr0 -p udp -m udp --dport 67 -j ACCEPT -A INPUT -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 192.168.122.0/24 -i virbr0 -j ACCEPT -A FORWARD -i virbr0 -o virbr0 -j ACCEPT -A FORWARD -o virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -i virbr0 -j REJECT --reject-with icmp-port-unreachable -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i enp2s0 -g FWDI_public -A FORWARD_IN_ZONES -g FWDI_public -A FORWARD_OUT_ZONES -o enp2s0 -g FWDO_public -A FORWARD_OUT_ZONES -g FWDO_public -A FWDI_public -j FWDI_public_log -A FWDI_public -j FWDI_public_deny -A FWDI_public -j FWDI_public_allow -A FWDI_public -p icmp -j ACCEPT -A FWDO_public -j FWDO_public_log -A FWDO_public -j FWDO_public_deny -A FWDO_public -j FWDO_public_allow -A INPUT_ZONES -i enp2s0 -g IN_public -A INPUT_ZONES -g IN_public -A IN_public -j IN_public_log -A IN_public -j IN_public_deny -A IN_public -j IN_public_allow -A IN_public -p icmp -j ACCEPT -A IN_public_allow -p udp -m udp --dport 20 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 9001 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 5979 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 20 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p udp -m udp --dport 21 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 9000 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 9001 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -d 224.0.0.251/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT -A IN_public_allow -p tcp -m tcp --dport 5900:5979 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Thu Sep 8 15:38:32 2016 On 7 Sep 2016 at 21:22, Mike Wright wrote: Subject: Re: Issue with ftp making connection but not list? To: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> From: Mike Wright <nobody@xxxxxxxxxxxxxxxxxxxx> Date sent: Wed, 7 Sep 2016 21:22:54 -0700 Send reply to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> > On 09/07/2016 08:26 PM, Michael D. Setzer II wrote: > > On 7 Sep 2016 at 18:38, Mike Wright wrote: > > >>>>>>> Did just notice if I do the traceroute with -I option it doesn't give the !X? Will > have to look into the difference between with -I and without?? > > traceroute -I says use ping to follow the connections. > > >>>>>>> Again, it was working 2 days ago, so I am thinking that a recent update > >>>>>>> has done something?? > > You might try comparing the output of d7t iptables-save and d7r > iptables-save. I have a hunch that's where the problem is. > > >>>>>>> Not sure why the !X is occurring. These machines are on the same > >>>>>>> 192.168.7.x network? > > The last rule on the INPUT chain is this: > > -A INPUT -j REJECT --reject-with icmp-host-prohibited > > If a packet makes it that far without having been handled by one of the > other chains you WILL receive an icmp-host-prohibited notification. > > >>>>>>> Thanks. > > Happy to have helped. > -- > users mailing list > users@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe or change subscription options: > https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct > Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines > Have a question? Ask away: http://ask.fedoraproject.org +----------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor Guam Community College Computer Center mailto:mikes@xxxxxxxxxxxxxxxx mailto:msetzerii@xxxxxxxxx Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +----------------------------------------------------------+ http://setiathome.berkeley.edu (Original) Number of Seti Units Returned: 19,471 Processing time: 32 years, 290 days, 12 hours, 58 minutes (Total Hours: 287,489) BOINC@HOME CREDITS ABC 16613838.513356 | EINSTEIN 111619174.788695 ROSETTA 48018352.619787 | SETI 91341742.472919 -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://lists.fedoraproject.org/admin/lists/users@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
