Description of problem: When trying to connect ftp I get this messages: Slår upp 192.168.1.177 Trying with 192.168.1.177:21 connected to 192.168.1.177:21 220 ProFTPD 1.3.3e Server (ProFTPD Default Installation) [192.168.1.177] USER jan 331 Password required for jan PASS xxxx 230 User jan logged in SYST 215 UNIX Type: L8 TYPE I 200 Type set to I PWD 257 "/home/jan" is the current directory reads in the directory /home/jan from server (LC_TIME=sv_SE.UTF-8) PASV 227 Entering Passive Mode (192,168,1,177,215,73). Can't create a connection: Connection timeout Dissconnect from host 192.168.1.177 Version-Release number of selected component (if applicable): proftpd 1.3.3e 2.mga1 Even when I change i Personal firewall to accept ftp I get the same result. When I choose All (no firewall) it is possible to connect through ftp. How reproducible: Steps to Reproduce: 1. Start gftp in computer 1 2. Try to connect to computer 2 3.
As indicated in /etc/proftpd.conf, you may need to define a range of PassivePorts and open that range in the firewall.
James Kerr: I tried that and it doesn't work. I tried the following: PassivePorts 21 250 After that I stopped an restarted proftpd. Result: the same as above
Component: Security => New RPM package request
Component: New RPM package request => RPM Packages
Please post the output of grep -i passive /etc/proftpd.conf cat /etc/shorewall/rules.drakx Note that you have to be root to read the rules.drakx.
CC: (none) => davidwhodgins
In shorewall.conf replace line MODULE_SUFFIX=ko by MODULE_SUFFIX= This is a regression from 18th may 2010 when this bug was corrected : line 2164 in /usr/share/shorewall/Shorewall/Config.pm reads : $config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};
CC: (none) => mace.christophe
Keywords: (none) => PATCHVersion: Cauldron => 1Source RPM: (none) => shorewall
@ Jan Is this bug still valid? AFAIK, shorewall wasn't updated since the last time you commented, but I do have good hope that this got magically fixed by a different update :) The reason for this hope is, that I wasn't able to use telnet without disabling my firewall (opening ports didn't seem to work) in Mageia 1, and now it works fine with firewall enabled in MCC. cc'ing last committer of shorewall for Mga 1
CC: (none) => marja11, pterjanWhiteboard: (none) => NEEDINFO
AFAIK, telnet does not use modules. Therefore, the way your bug was solved seems to me independent of this bug. As you mentioned, the package was not updated and I think the bug is still valid.
(In reply to comment #6) > AFAIK, telnet does not use modules. Therefore, the way your bug was solved > seems to me independent of this bug. > As you mentioned, the package was not updated and I think the bug is still > valid. I feel a bit reluctant to ask anyone for help, when it is not certain the bug is still there, but I'll cc the last (cauldron) committers of shorewall without asking.
CC: (none) => mageia, thierry.vignaud
When I disable the firewall it's possible to use ftp to connect to the host. When firewall is enabled it is impossible to connecct. But when I use ssh it is possible to connect. I'm using gftp to try this. I can't find any ftp-prrogram to install, only lftp and sftp. This was sent as a mail to Marja van Waes 20111224 and came in return so I answer this way Merry Christmas Jan Pihlgren
@ Jan (In reply to comment #8) > > This was sent as a mail to Marja van Waes 20111224 and came in return so I > answer this way It is impossible to answer bugzilla mails, you can only answer by logging into Bugzilla and writing a new comment ;) (In reply to comment #3) > Please post the output of > grep -i passive /etc/proftpd.conf > cat /etc/shorewall/rules.drakx > > Note that you have to be root to read the rules.drakx. Jan, can you please do this? It may not seem necessary, because Christophe said he found the cause of your problem in the next comment, but the more relevant information we give to who'll fix this bug, the nicer it'll be for him or her. Did you try what Christophe suggested?
Here are the output of the commands: [jan@humlan ~]$ grep -i passive /etc/proftpd.conf # In some cases you have to specify passive ports range to by-pass #PassivePorts 49152 65534 [root@humlan jan]# cat /etc/shorewall/rules.drakx ACCEPT net fw tcp 22 - [root@humlan jan]# No, I havn't done anything with the firewall.
Uncomment the line PassivePorts in /etc/proftpd.conf Change the rules.drakx to have ACCEPT net fw tcp 22,49152:65534 - Using passive mode requires a range of ports to be opened, so this has to be configured manually for those users who want to support it.
Where to change rules.drakx?
It can be done via the mcc gui, but it's probably easier to do it manually. I would use "urpmi mc && mc -e /etc/shorewall/rules.drakx", make the change, and then run "service network restart", all as root.
I edit the file /etc/firewall/rules.drakx manually. And then run "service network restart" as mentioned. Using gFTP. I can use ftp to other linux (debian) host. But not to an other mageia host. Maybe the firewall stop connection throught ftp. It normaly works with ssh.
Creating manually firewall rules is, IMO, a poor workaround of this bug. As root, you can see if the netfilter modules for connection tracking are loaded : [root@localhost ~]#lsmod | grep nf_conntrack This command should reply many modules (for the different protocols that are tracked) : ftp, h323, irc, sip, ... If the modules are not loaded, netfilter can't track the ftp connections and you have to manually open a wide range of ports on your machine. The reason shorewall can't load netfilter modules is that the default configuration file shorewall.conf does specify that the extension of kernel modules is '.ko' whereas Mageia modules are compiled compressed ('ko.gz').
(In reply to comment #15) > Creating manually firewall rules is, IMO, a poor workaround of this bug. @ Christophe The shorewall package should be patched, of course. You really care, I like that :D Please become a Mageia packager, we're very short on packagers and atm we don't even have a shorewall maintainer. https://wiki.mageia.org/en/Becoming_a_Mageia_Packager
I updated our spec following Christophe's comments (thanks for your precise explanation). @ Jan please, could you verify that shorewall-4.4.23.1-3.mga2 in cauldron and shorewall-4.4.19.1-3.1.mga1 in mga 1 updates_testing fix this bug. regards, Luc
CC: (none) => lmenutHardware: i586 => AllWhiteboard: NEEDINFO => (none)
Whiteboard: (none) => NEEDINFO
Using 64 bit mageia 1 My version of shorewall is 4.4.19.1 3.mga1 noarch I activated updates_testing but no package. In Mageia 2 alfa 2 I have shorewall 4.4.23.1 2.mga2 running i VMware Workstation I tested with gFTP and FTP and i succeeded to connect between 192.168.38.142 and 192.168.1.142 (same physical host) But not between 192.168.38.142 and 192.168.1.91 (different physical hosts)
(In reply to comment #17) > I updated our spec following Christophe's comments (thanks for your precise > explanation). > > @ Jan > please, could you verify that shorewall-4.4.23.1-3.mga2 in cauldron and > shorewall-4.4.19.1-3.1.mga1 in mga 1 updates_testing fix this bug. > > regards, > Luc shorewall.conf is a configuration file. My machine says : "attention: /etc/shorewall/shorewall.conf créé en tant que /etc/shorewall/shorewall.conf.rpmnew" Therefore, I think a message after the update (based on the one displayed when the kernel is updated) could alert the user that, because of this bug correction, this particlar line in the configuration file has to be updated (can be done with the diff tool that show the differences between rpmnew file and original file).
(In reply to comment #17) > I updated our spec following Christophe's comments (thanks for your precise > explanation). > > @ Jan > please, could you verify that shorewall-4.4.23.1-3.mga2 in cauldron and > shorewall-4.4.19.1-3.1.mga1 in mga 1 updates_testing fix this bug. > > regards, > Luc Apparently the bug 1903 and bug 1147 appears to be related: Since the srpm update package shorewall-4.4.19.1-3.1.mga1.src.rpm in Core_Updates_Testing everything is back to normal, the bug 1903 seems to be resolved. To be really sure I continue testing. https://bugs.mageia.org/show_bug.cgi?id=3980#c8
CC: (none) => geiger.david68210
Jan you need to take the version of the rpm. According to David and Christophe, the update fix the issue, so let's go for the QA. Thanks.
Blocks: (none) => 1903Assignee: bugsquad => qa-bugsSummary: can't connect ftp through firewall => update candidate: shorewall (was: can't connect ftp through firewall)Whiteboard: NEEDINFO => (none)
Well, I don't understand what to do. I have update for evrytime ther come updates, the last just a couple of days. Nothing changes. My question is Why will th SSH-protocoll work but not FTP-protocol in the program gFTP? The FTP-protocol works when connecting to webhotel but not between computers runing Mageia 1. So when I can solve my problem by using the SSH-protocol I'm doen't matter anymore of the problem with FTP-protocol. Regards// Jan P
*** Bug 1903 has been marked as a duplicate of this bug. ***
CC: (none) => Olivier_Blaziken
(In reply to comment #19) [...] > > shorewall.conf is a configuration file. My machine says : > "attention: /etc/shorewall/shorewall.conf créé en tant que > /etc/shorewall/shorewall.conf.rpmnew" this happen only on the systems where shorewall.conf has been edited, and modified. > Therefore, I think a message after the update (based on the one displayed when > the kernel is updated) could alert the user that, because of this bug > correction, this particlar line in the configuration file has to be updated > (can be done with the diff tool that show the differences between rpmnew file > and original file). I'm reluctant to add such message, because - it will be irrelevant for most of users (who haven't modified shorewall.conf, cf. above), - the users who have modified shorewall.conf, know how to merge differences, and what they want to merge, - mgaapplet already show the diff between the installed file and the new file. if needed, I can add a post-install script to change the line MODULE_SUFFIX=ko to its new value MODULE_SUFFIX="ko ko.gz". @QA team, do you think it's needed?
(In reply to comment #22) > Well, I don't understand what to do. I have update for evrytime ther come > updates, the last just a couple of days. > Nothing changes. > My question is > Why will th SSH-protocoll work but not FTP-protocol in the program gFTP? there is probably a problem on your firewall's configuration. please, could you post the output of: grep -i MODULE_SUFFIX /etc/shorewall/shorewall.conf cat /etc/shorewall/rules cat /etc/shorewall/rules.drakx
(In reply to comment #25) Here is the result: [root@humlan]# grep -i MODULE_SUFFIX /etc/shorewall/shorewall.conf MODULE_SUFFIX=ko [root@humlan]# cat /etc/shorewall/rules # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # #################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED INCLUDE rules.drakx #LAST LINE -- DO NOT REMOVE [root@humlan]# cat /etc/shorewall/rules.drakx ACCEPT net fw tcp 22,49152:65534 - [root@humlan Dokument]#
CC: thierry.vignaud => (none)
(In reply to comment #26) > > [root@humlan]# grep -i MODULE_SUFFIX /etc/shorewall/shorewall.conf > MODULE_SUFFIX=ko it should be MODULE_SUFFIX="ko ko.gz" I've pushed on the build system 2 new packages (for mga1 and cauldron) with an additional fix in post-install that should fix MODULE_SUFFIX in case of shorewall.conf was previously edited. please could you test that MODULE_SUFFIX is fixed (MODULE_SUFFIX="ko ko.gz") after the install of - shorewall-4.4.23.1-4.mga2 for cauldron - shorewall-4.4.19.1-3.2.mga1 for mga 1 they should reach your mirror soon. > > [root@humlan]# cat /etc/shorewall/rules > # OK, no problem here > > [root@humlan]# cat /etc/shorewall/rules.drakx > ACCEPT net fw tcp 22,49152:65534 - ftp can't work with this rule; port 21 should be allowed, 49152:65534 are not needed (port 22 allows ssh/sftp). with the following line in rules.drakx, and the updated packages, I hope that ftp will work for you too ACCEPT net fw tcp 21,22 - regards, Luc
Tested the new update srpm shorewall-4.4.19.1-3.2.mga1.src.rpm on Mageia release 1 (Official) for x86_64,works fine for me. # grep -i MODULE_SUFFIX /etc/shorewall/shorewall.conf MODULE_SUFFIX="ko ko.gz" ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- # cat /etc/shorewall/rules # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # #################################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED INCLUDE rules.drakx #LAST LINE -- DO NOT REMOVE -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- # cat /etc/shorewall/rules.drakx ACCEPT net fw udp 53,111,2049,4002,4001,4003,4004,137,138,139,445,1024:1100,631,5353,427,5675,6891,6891:6895 - ACCEPT net fw tcp 80,443,53,25,109,110,143,111,2049,4002,4001,4003,4004,137,138,139,445,1024:1100,631,5665,6881,6891:6895 - ------------------------------------------------------------------------------- I think this update can be validated?
Source RPM: shorewall => shorewall-4.4.19.1-3.2.mga1.src.rpm
Validating the update. Could someone from the sysadmin team push the srpm shorewall-4.4.19.1-3.2.mga1.src.rpm from Core Updates Testing to Core Updates. Advisory: This bug fix update for shorewall corrects the configuration of MODULE_SUFFIX, in order to allow the loading of compressed kernel modules. This is required for proper connection tracking, for example, when running an ftp server supporting passive connections. https://bugs.mageia.org/show_bug.cgi?id=1147
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
update pushed.
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
After installing shorewall 4.4.19.1 3.2.mga1 at 2012 jan 12 everything worked as espected, FTP-protocol work. Thanks!