Solved

Problems with Passive mode on PROFTP behind firewall

Posted on 2001-07-17
6
1,570 Views
Last Modified: 2013-12-16
I have a problem where I cannot connect to a proftp server in passive mode behind a firewall, the /var/messages file reports SECURITY VIOLATION: Passive connection from x.x.x.x rejected when the server tries to initiate passive mode.

Non passive mode connections are fine, but I have some customers who need passive mode.

I have set the passive ports directive in proftpd.conf, and ensured that the relevant ports are open on the firewall, but still can't get the server to do anything useful in passive mode. It eventually times out, saying that no transfer has taken place.

Please help.
0
Comment
Question by:dredmann
  • 3
  • 2
6 Comments
 
LVL 1

Expert Comment

by:rcm9445
ID: 6289948
Try using tcp/ip wrappers to send the packets thru port 80 instead of port 23.
0
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 200 total points
ID: 6290057
What kind of firewall do you have?  If it is a non-transparent application proxy such as Raptor, it may be chaning the aparent IP address of some of the packets.  This may be causing the security violation the software is complaining about.
0
 

Author Comment

by:dredmann
ID: 6290456
The firewall is by borderware.
The actual message reported is:

1.1.1.1 (gateway-ext.central.smartways.com[2.2.2.2]) - SECURITY VIOLATION: Passive connection from 3.3.3.3 rejected.


I've replaced the ip addresses for security reasons:
1.1.1.1 The host ftp server
2.2.2.2 IP of external side of clients firewall
3.3.3.3 IP of Internal side of our firewall

The ftp connection is being initiated inside the client's firewall.
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6290722
This is exactly the type of thing I was talking about.  The firewall intercepts the data traffic, making the ftp server see its IP address as the originating address for the packets.

The only way to solve this problem is to fix your firewall (or perhaps configure proftpd not to be concerned with this, but it's probably a problem for your clients too).
0
 

Author Comment

by:dredmann
ID: 6292764
Chris, how would you suggest that I go about making Proftp not care about the addresses getting changed?
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6293936
Never used proftp, so I can't tell you.  However this firewall behavior is likely to cause problems for your clients too, so the real answer is fixing the firewall.  I'd contact the firewall vendor to see if they have a solution to this problem.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
curl SSL certificate unable to get local issuer certificate 15 105
000webhost.com default error log 1 40
The better OS Architecture 13 67
LINUX Field Separators 7 38
Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question