Firewall config for Explicit FTP over TLS
Posted: Wed May 03, 2017 6:14 am
I'm a bit confused as usual, and was hoping I could get some pointers.
On a Plesk 12.5/Onyx boxes under Centos 7 with ASL, customers are unable to use Explicit FTP over TLS. They can connect OK, but the FTP client will then timeout trying to get a directory listing.
The behaviour customers experience is similar to what you'd expect if the client was trying to use "Active" FTP as opposed to PASV mode with normal FTP (not TLS/SSL).
In contrast, Explicit mode works perfectly for me, the difference being that my IP is allowed to access all ports through the ASL firewall, while customers can only access the usual 21, 80 etc.
From this, I'm assuming it is a firewall issue. But port 21 is open, and as far as I'm aware that's all that's needed for incoming. Implicit mode needs 990 but this is Explicit. We don't firewall outgoing ports.
Any ideas?
One thing to note is that this is a Virtuozzo Container, and there can be differences with IPTables and stateful inspection, although I've never encountered any issues with this until now.
On a Plesk 12.5/Onyx boxes under Centos 7 with ASL, customers are unable to use Explicit FTP over TLS. They can connect OK, but the FTP client will then timeout trying to get a directory listing.
The behaviour customers experience is similar to what you'd expect if the client was trying to use "Active" FTP as opposed to PASV mode with normal FTP (not TLS/SSL).
In contrast, Explicit mode works perfectly for me, the difference being that my IP is allowed to access all ports through the ASL firewall, while customers can only access the usual 21, 80 etc.
From this, I'm assuming it is a firewall issue. But port 21 is open, and as far as I'm aware that's all that's needed for incoming. Implicit mode needs 990 but this is Explicit. We don't firewall outgoing ports.
Any ideas?
One thing to note is that this is a Virtuozzo Container, and there can be differences with IPTables and stateful inspection, although I've never encountered any issues with this until now.