Firewall config for Explicit FTP over TLS

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Firewall config for Explicit FTP over TLS

Unread post by faris »

I'm a bit confused as usual, and was hoping I could get some pointers.

On a Plesk 12.5/Onyx boxes under Centos 7 with ASL, customers are unable to use Explicit FTP over TLS. They can connect OK, but the FTP client will then timeout trying to get a directory listing.

The behaviour customers experience is similar to what you'd expect if the client was trying to use "Active" FTP as opposed to PASV mode with normal FTP (not TLS/SSL).

In contrast, Explicit mode works perfectly for me, the difference being that my IP is allowed to access all ports through the ASL firewall, while customers can only access the usual 21, 80 etc.

From this, I'm assuming it is a firewall issue. But port 21 is open, and as far as I'm aware that's all that's needed for incoming. Implicit mode needs 990 but this is Explicit. We don't firewall outgoing ports.

Any ideas?

One thing to note is that this is a Virtuozzo Container, and there can be differences with IPTables and stateful inspection, although I've never encountered any issues with this until now.
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Firewall config for Explicit FTP over TLS

Unread post by prupert »

For passive FTP connections the server needs to open extra ports. This is normally done automatically on the fly by the ftp_conntrack firewall module. However, when FTP traffic is encrypted, it is impossible for the firewall to track the FTP connection. Thus, if you want to be able to use encrypted FTP with passive connections, you need to allow packets to the configured passive FTP ports beforehand.
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Firewall config for Explicit FTP over TLS

Unread post by faris »

Aha. Makes sense. Thank you again!
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Post Reply