FTP and Firewall

[Greg Sims]

Hi There,

We are using the standard FTP package, the Firewall Module and a server that is not behind any other firewall. I created a FTP site for one of our domains and everything works well for me. My IP address is configured in the firewall to allow access to Any Port of the server (admin rule).

I enabled the FTP Rule for one ip in the Firewall Module and noticed that it:

/sbin/iptables -A INPUT -p tcp --dport 21 -s xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -j DROP

I read a Plesk Knowldge Base article that says both ports 20 and 21 should be open. I created a special firewall rule to allow for this which generates:

/sbin/iptables -A INPUT -p tcp --dport 20 -s xx.xx.xx.xx -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -s xx.xx.xx.xx -j ACCEPT

It is still not possible for FTP traffic to make it to the server for any ip address that is not in the admin rule (open to all ports). I tried restarting network and xinetd which did not help.

It seems like I have a firewall issue of some sort. Any ideas on how to fix this?

Thanks! Greg

 

[faris]

The IP addresses you enter in the firewall module is the source ( -s ) IP addrerss, not the destination.

Thus by entering xxx.xxx.xxx.xxx in the rule, you allow only a connection with an IP address of xxx.xxx.xxx.xxx to access the FTP service.

This is not what you want with FTP - you want to allow access from all IPs (or if you know the IP address of each and every customer and also know they will never change then you could enter those IPs).

The default rule for FTP does exactly that, and notmally does not need any configuration.

The default rule for "everything else" incidentally, in Plesk 7.5 (don't know about 8) is to allow everything else. So if you have a block rule, then that will block as required, but if you don't have a block rule for something then it is allowed by default. That "everything else" rule should therefore be set to deny instead of allow. BUT when you do this you will find that there will be problems with Passive Mode FTP. To get around this you'll need to open some holes above port 1024, and configure ProFTP to specifically use those and only ports for passive mode. There is a post with comprehensive explanations on this somewhere on the forum.

This is all unless I've totally misunderstood your question and problem of course, or if there is some fundamental difference between the firewall in Plesk 8 and Plesk 7.5 that I don't know about!

Faris.

 

[Greg Sims]

Thanks for the feedback faris! Here's the answer to how to configure proftpf and the plesk firewall for passive ftp connections.

#!/bin/bash

# inspired by http://forum.swsoft.com/showthread.php?s=&threadid=34291
#
# gfs 02-23-07

# this script enables ftp passive mode on the plesk firewall. the goal
# is to open tcp ports 49152 to 65534 for use by proftpd. the plesk firewall
# will not accept a range of ports and this script provides a workaround. the
# ports listed here must match those in /etc/proftpd.conf by including the
# following lines:
#
# <global>
# PassivePorts 49152 65534
# </global>

# first we need to add a firewall rule in plesk that will allow port 49152
# on all tcp ip addresses. we will use this as a search target and extend
# the range of ports. this script should be run from cron every 10 minutes
# to extend the port range when the plesk firewall is updated.

N=`/sbin/iptables -L INPUT --line-numbers | grep 49152 | sed -e 's/\s.*//'`
/sbin/iptables -R INPUT $N -p tcp --dport 49152:65534 -j ACCEPT

exit 0

i hope one day this will be integrated into plesk. perhaps the passive ftp ports can be opened with the FTP rule which is hard coded into the plesk firewall. this and the change to proftpd.conf will make configuring the ftp Much easier for plesk users in the future.

I hope this helps other readers! Greg