Re: Problem with firewalld/iptables and ftp access list?

[Ed Greshko <ed.greshko@xxxxxxxxxxx>]

On 10/02/16 19:48, Michael D. Setzer II wrote:

The modeprobe nf_conntrack_ftp doesn't output any messge or error? Not sure what it is suppose to output.

No, it probably won't.  Before issuing the modprobe, it would have been a good idea to use lsmod to see if it was already loaded.

FWIW, as I mentioned the module doesn't get loaded when initially making changes to the firewall with the GUI.  But you could use the GUI to reload and it does get loaded.  Once loaded, it stays loaded unless you issue an rmmod command and the module is not in use.

I did a test from a machine to the server running the vsftp server and using ncftp or ncftpls,  but in the past have also used ftp with the same results.

With the line disabled everything seems to work, but without it seems to fail, but in one section changed passive mode, back it seemed to continue??

These machines are in the same 192.168.7.x network connected to the same switch? All are running Fedora 24, upgraded via dnf from 23 over the summer. With the 23, never had any issues.

I fired up an F22 system and did an iptables-save and found it also has the line

-A INPUT -j REJECT --reject-with icmp-host-prohibited

That's about all I can say this my evening.  If I have time tomorrow I'll put up a vsftpd on a system and see if I can recreate the issue.

I have no idea why I'd suggest this, other than the active/passive comments you made, but I guess you can also try to open port 20 and with that line active in iptables see if the results are the same.

--
You're Welcome Zachary Quinto

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx