Cant connect to FTP when CSF is enabled, but FTP ports are open

13 posts / 0 new

Topic locked

Last post

#1 Mon, 10/29/2018 - 09:43

amityweb

Cant connect to FTP when CSF is enabled, but FTP ports are open

Does anyone know about this issue please...

I have enabled ports 20 and 21 in csf.conf for TCP IN and OUT and UDP IN and OUT.

BUT using my FTP client just fails. If I turn off CSF it connects fine.

So its got to be a CSF issue but the ports are open.

Some help online states using passive and setting PassivePorts in proftpd.conf but that does not work either, and dont see why I need to use passive, it wont work with or without passive.

Thanks

#2 Mon, 10/29/2018 - 10:01

amityweb

I have this: LF_DISTFTP = "0"

#3 Mon, 10/29/2018 - 10:06

amityweb

Also I have this: CT_LIMIT = "0"

#4 Mon, 10/29/2018 - 10:20

amityweb

These are the logs in messages from my IP:

Oct 29 13:36:47 ss1 proftpd[8218]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened.
Oct 29 13:37:28 ss1 proftpd[8218]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed.
Oct 29 13:38:30 ss1 proftpd[8584]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened.
Oct 29 13:39:18 ss1 proftpd[8584]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed.
Oct 29 13:39:35 ss1 proftpd[8658]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened.
Oct 29 13:40:26 ss1 proftpd[8658]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed.
Oct 29 14:08:37 ss1 proftpd[15355]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened.
Oct 29 14:09:18 ss1 proftpd[15355]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed.
Oct 29 14:17:25 ss1 proftpd[18545]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened.
Oct 29 14:18:01 ss1 proftpd[18626]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened.
Oct 29 14:18:09 ss1 proftpd[18545]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed.
Oct 29 14:21:32 ss1 proftpd[18626]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed.
Oct 29 14:42:07 ss1 proftpd[26725]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened.
Oct 29 14:47:07 ss1 proftpd[26725]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - Login timeout exceeded, disconnected
Oct 29 14:47:07 ss1 proftpd[26725]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed.

#5 Mon, 10/29/2018 - 12:11

scotwnw

Looks like its getting in but not get return response.

Be sure you have and ESTABLISHED/RELATED line in the firewall. CSF includes it normally but could have been turned off by mistake.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

If that doesn't do it, check /etc/proftpd.conf for the passive ports it's using and open those on the 'out' or possibly 'in and out'. Try the minimum first.

#6 Mon, 10/29/2018 - 14:15

amityweb

Yeah, got this:

ACCEPT  all opt -- in !lo out *  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED 
ACCEPT  all opt -- in * out !lo  0.0.0.0/0  -> 0.0.0.0/0  state RELATED,ESTABLISHED 
ACCEPT  all opt    in !lo out *  ::/0  -> ::/0  state RELATED,ESTABLISHED 
ACCEPT  all opt    in * out !lo  ::/0  -> ::/0  state RELATED,ESTABLISHED

There is no passive ports in proftpd.conf, but if I add them in as per other threads (e.g. PassivePorts 30000 35000) and open those in CSF, it still does not work. Whether I set my client to use passive or not.

#7 Mon, 10/29/2018 - 14:36

amityweb

Maybe there is some other strange issue going on... I added the IP I cant connect from to the allow list in csf but still could not connect. But if I disable CSF it works.

So must be a CSF thing, but its ignoring the allow IP also. So some other block for FTP going on?

#8 Mon, 10/29/2018 - 15:32

scotwnw

Can't think of anything else that would cause it but obviously CSF is blocking something.

Is this machine you're connecting to NAT'd at all? Or does it have public ip?

#9 Tue, 10/30/2018 - 03:53

Jfro

https://duckduckgo.com/html?q=csf%20manual%20ftp%20ports

probably in tcp (in,out) / udp section the ports..... ;)

Or you stil have another kind of firewall activ.

#10 Tue, 10/30/2018 - 08:27

amityweb

I have opened ports 20 and 21 in csf for TCP IN and OUT and UDP IN and OUT I also tried adding passive ports. It works when CSF is disabled so no other firewall blocking it.

#11 Tue, 10/30/2018 - 08:28

amityweb

@scotwnw just a public IP I think. I am connecting through my mobile phone wifi hotspot (because my main network is in the allowed list, which I have to have or I wont be able to access the server). but was notified of this issue by a customer who cant connect either.

#12 Tue, 10/30/2018 - 10:26

Jfro

IPv4 IPv6 native IPv4 IPv6 or a CGNAT ipv4 could give other results needed settings in firewalls only gues...

Maybe check and log ftp access with csf firewall of you can see ip's that system ... ports i don;t know if you see there...

#13 Tue, 10/30/2018 - 10:54

jimdunn

If you're still having issues...

https://www.virtualmin.com/node/33537 suggests trying another ftp client.
http://www.proftpd.org/docs/howto/Debugging.html suggests enable debugging.
set up a 2nd vanilla server and see if you have the same issues as on problem server.
make copies of your csf.conf files, then copy the "newly installed" conf over to problem server and see if you have the same issues.

(also note that in /etc/proftpd/conf.d/virtualmin.conf port 2222 is also enabled by default)

Topic locked