On Wed, Jan 12, 2005 at 09:49:01AM -0600, Rodolfo J. Paiz wrote: > On Wed, 2005-01-12 at 15:45 +0100, Kyrre Ness Sjobak wrote: > > Hmm... Just thougth i should mention it, when i switched on "allow FTP" > > on system-config-network on a fedora box a year ago, it did fail to open > > ports for passive FTP... > > > > I'm not aware of there being any need to open additional ports for > passive FTP. What do you mean? Passive FTP listens on random local ephemeral ports for data connections set up by the 21/tcp control stream. If you are not using a stateful firewall with a FTP helper, then you need to allow incoming TCP connections to whatever range your FTP server uses for passive FTP (defaults to the entire local port range). This is why I have always set up my FTP server similar to this (older box using ipchains): /etc/sysctl.conf: net.ipv4.ip_local_port_range = 60000 65535 /etc/vsftpd.conf: pasv_min_port=59000 pasv_max_port=59999 /etc/sysconfig/ipchains: -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 21:21 -p 6 -j ACCEPT -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 0:58999 -p 6 -l -j DENY -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 59000:59999 -p 6 -j ACCEPT -A input -i eth0 -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 60000:65535 -p 6 -y -l -j DENY