My CSF close my FTP

[rohit09]

My IP table is Good. No Error.

TCP_IN = 20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,30000:35000

But still my FTP has the same problem. Connection error or Try PASSV mode this kind of error!

100Times I Restart CFS and FTPD.

I also try to reinstall csf!

But same.. Plz Help me!

[LDW]

Have you checked the configuration of your FTP client software to ensure that it is set to make passive connections. Also, if you are trying to use TLS/SSL connections you might want to see if you can change that to SSh connections instead.

Taken from the CSF readme file:

Code: Select all

13. A note about FTP Connection Issues
######################################

It is important when using an SPI firewall to ensure FTP client applications
are configured to use Passive (PASV) mode connections to the server.

On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom
built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may
not be available or fully functional. If this happens, FTP passive mode (PASV)
won't work. In such circumstances you will have to open a hole in your firewall
and configure the FTP server to use that same hole.

For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd:
PassivePortRange	30000 35000

For example, with proftpd you could add the port range 30000:35000 to TCP_IN
and add the following line to /etc/proftpd.conf and then restart proftpd:
PassivePorts	30000 35000

FTP over SSL/TLS will usually fail when using an SPI firewall. This is because
of the way the FTP protocol established a connection between client and server.
iptables fails to establish a related connection when using FTP over SSL
because the FTP control connection is encrypted and so cannot track the
relationship between the connection and the allocation of an ephemeral port.

If you need to use FTP over SSL, you will have to open up a passive port block
in both csf and your FTP server configuration (see above).

Perversely, this makes your firewall less secure, while trying to make FTP
connections more secure.

[rohit09]

Ok! After doing over week works. I discover something..

When my CSF enable my FTP Not working. But when I do FLUSH ALL BLOCKS Instantly my FTP starts working. but only for 30sec - After that it backs his previous position. NO FTP

DO you guys have any lifetime solution?

Thank You.

[kotakomputer]

Please read permanent/temporary blocking entry before you Flush All Blocks.

[chirpy]

If it works for a while and then stops it's likely that the ftp connections are triggering Connection Tracking blocks. You need to investigate what triggers are being exceeded from either lfd.log or the emails sent when lfd blocks an IP address. Other than that,read the section in the readme.txt regarding FTP issues.

[enghadi]

first edit /etc/proftpd.conf
# vi /etc/proftpd.conf
then type:
/PassivePorts and press enter to find this line:
PassivePorts 35000 35999
and press i for insert mode
replace ports with this line:
PassivePorts 30000 35000
after editing pres Esc button to exit insert mode.
then again enter:
/PassivePorts to find this line:
<Global>
PassivePorts 35000 35999
replace with this one:
<Global>
PassivePorts 30000 35000
after editing pres Esc button to exit insert mode.
then type:
:wq
and press enter for save and close the file and back to command.
now we must change TCP_IN options in /etc/csf/csf.conf file.
type:
# vi /etc/csf/csf.conf
type:
/TCP_IN and then press enter to find this line:
TCP_IN = "20,21,22, etc..."
edit the line by pressing i and then add ,30000:35000 before last quotation like this:
TCP_IN = "20,21,22,...,30000:35000"
then type:
:wq
and press enter for save and close the file and back to command.
now restart related services:
# csf -r restart
# service lfd restart
# service proftpd restart

good luck!

[greitas]

enghadi, thanks a lot!