Atomicorp

I'm a bit confused as usual, and was hoping I could get some pointers.

On a Plesk 12.5/Onyx boxes under Centos 7 with ASL, customers are unable to use Explicit FTP over TLS. They can connect OK, but the FTP client will then timeout trying to get a directory listing.

The behaviour customers experience is similar to what you'd expect if the client was trying to use "Active" FTP as opposed to PASV mode with normal FTP (not TLS/SSL).

In contrast, Explicit mode works perfectly for me, the difference being that my IP is allowed to access all ports through the ASL firewall, while customers can only access the usual 21, 80 etc.

From this, I'm assuming it is a firewall issue. But port 21 is open, and as far as I'm aware that's all that's needed for incoming. Implicit mode needs 990 but this is Explicit. We don't firewall outgoing ports.

Any ideas?

One thing to note is that this is a Virtuozzo Container, and there can be differences with IPTables and stateful inspection, although I've never encountered any issues with this until now.

For passive FTP connections the server needs to open extra ports. This is normally done automatically on the fly by the ftp_conntrack firewall module. However, when FTP traffic is encrypted, it is impossible for the firewall to track the FTP connection. Thus, if you want to be able to use encrypted FTP with passive connections, you need to allow packets to the configured passive FTP ports beforehand.

Aha. Makes sense. Thank you again!