Solved

Problems with Passive mode on PROFTP behind firewall

Posted on 2001-07-17
6
1,559 Views
Last Modified: 2013-12-16
I have a problem where I cannot connect to a proftp server in passive mode behind a firewall, the /var/messages file reports SECURITY VIOLATION: Passive connection from x.x.x.x rejected when the server tries to initiate passive mode.

Non passive mode connections are fine, but I have some customers who need passive mode.

I have set the passive ports directive in proftpd.conf, and ensured that the relevant ports are open on the firewall, but still can't get the server to do anything useful in passive mode. It eventually times out, saying that no transfer has taken place.

Please help.
0
Comment
Question by:dredmann
  • 3
  • 2
6 Comments
 
LVL 1

Expert Comment

by:rcm9445
ID: 6289948
Try using tcp/ip wrappers to send the packets thru port 80 instead of port 23.
0
 
LVL 14

Accepted Solution

by:
chris_calabrese earned 200 total points
ID: 6290057
What kind of firewall do you have?  If it is a non-transparent application proxy such as Raptor, it may be chaning the aparent IP address of some of the packets.  This may be causing the security violation the software is complaining about.
0
 

Author Comment

by:dredmann
ID: 6290456
The firewall is by borderware.
The actual message reported is:

1.1.1.1 (gateway-ext.central.smartways.com[2.2.2.2]) - SECURITY VIOLATION: Passive connection from 3.3.3.3 rejected.


I've replaced the ip addresses for security reasons:
1.1.1.1 The host ftp server
2.2.2.2 IP of external side of clients firewall
3.3.3.3 IP of Internal side of our firewall

The ftp connection is being initiated inside the client's firewall.
0
Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6290722
This is exactly the type of thing I was talking about.  The firewall intercepts the data traffic, making the ftp server see its IP address as the originating address for the packets.

The only way to solve this problem is to fix your firewall (or perhaps configure proftpd not to be concerned with this, but it's probably a problem for your clients too).
0
 

Author Comment

by:dredmann
ID: 6292764
Chris, how would you suggest that I go about making Proftp not care about the addresses getting changed?
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6293936
Never used proftp, so I can't tell you.  However this firewall behavior is likely to cause problems for your clients too, so the real answer is fixing the firewall.  I'd contact the firewall vendor to see if they have a solution to this problem.
0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is the error message I got (CODE) Error caused by incompatible libmp3lame 3.98-2 with ffmpeg I've googled this error message and found out sometimes it attaches this note "can be treated with downgrade libmp3lame to version 3.97 or 3.98" …
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question