Cant connect to FTP when CSF is enabled, but FTP ports are open

amityweb · October 29, 2018, 2:43pm

Does anyone know about this issue please…

I have enabled ports 20 and 21 in csf.conf for TCP IN and OUT and UDP IN and OUT.

BUT using my FTP client just fails. If I turn off CSF it connects fine.

So its got to be a CSF issue but the ports are open.

Some help online states using passive and setting PassivePorts in proftpd.conf but that does not work either, and dont see why I need to use passive, it wont work with or without passive.

Thanks

amityweb · October 29, 2018, 3:01pm

I have this:
LF_DISTFTP = “0”

amityweb · October 29, 2018, 3:06pm

Also I have this: CT_LIMIT = “0”

amityweb · October 29, 2018, 3:20pm

These are the logs in messages from my IP:
Oct 29 13:36:47 ss1 proftpd[8218]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened. Oct 29 13:37:28 ss1 proftpd[8218]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed. Oct 29 13:38:30 ss1 proftpd[8584]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened. Oct 29 13:39:18 ss1 proftpd[8584]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed. Oct 29 13:39:35 ss1 proftpd[8658]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened. Oct 29 13:40:26 ss1 proftpd[8658]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed. Oct 29 14:08:37 ss1 proftpd[15355]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened. Oct 29 14:09:18 ss1 proftpd[15355]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed. Oct 29 14:17:25 ss1 proftpd[18545]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened. Oct 29 14:18:01 ss1 proftpd[18626]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened. Oct 29 14:18:09 ss1 proftpd[18545]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed. Oct 29 14:21:32 ss1 proftpd[18626]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed. Oct 29 14:42:07 ss1 proftpd[26725]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session opened. Oct 29 14:47:07 ss1 proftpd[26725]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - Login timeout exceeded, disconnected Oct 29 14:47:07 ss1 proftpd[26725]: 127.0.0.1 (12.34.56.78[12.34.56.78]) - FTP session closed.

scotwnw · October 29, 2018, 5:11pm

Looks like its getting in but not get return response.

Be sure you have and ESTABLISHED/RELATED line in the firewall. CSF includes it normally but could have been turned off by mistake.

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

If that doesn’t do it, check /etc/proftpd.conf for the passive ports it’s using and open those on the ‘out’ or possibly ‘in and out’. Try the minimum first.

amityweb · October 29, 2018, 7:15pm

Yeah, got this:
ACCEPT all opt – in !lo out * 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all opt – in * out !lo 0.0.0.0/0 -> 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT all opt in !lo out * ::/0 -> ::/0 state RELATED,ESTABLISHED ACCEPT all opt in * out !lo ::/0 -> ::/0 state RELATED,ESTABLISHED

There is no passive ports in proftpd.conf, but if I add them in as per other threads (e.g. PassivePorts 30000 35000) and open those in CSF, it still does not work. Whether I set my client to use passive or not.

amityweb · October 29, 2018, 7:36pm

Maybe there is some other strange issue going on… I added the IP I cant connect from to the allow list in csf but still could not connect. But if I disable CSF it works.

So must be a CSF thing, but its ignoring the allow IP also. So some other block for FTP going on?

scotwnw · October 29, 2018, 8:32pm

Can’t think of anything else that would cause it but obviously CSF is blocking something.

Is this machine you’re connecting to NAT’d at all? Or does it have public ip?

Jfro · October 30, 2018, 8:53am

https://duckduckgo.com/html?q=csf%20manual%20ftp%20ports

probably in tcp (in,out) / udp section the ports…

Or you stil have another kind of firewall activ.

amityweb · October 30, 2018, 1:27pm

I have opened ports 20 and 21 in csf for TCP IN and OUT and UDP IN and OUT
I also tried adding passive ports.
It works when CSF is disabled so no other firewall blocking it.

amityweb · October 30, 2018, 1:28pm

@scotwnw just a public IP I think. I am connecting through my mobile phone wifi hotspot (because my main network is in the allowed list, which I have to have or I wont be able to access the server). but was notified of this issue by a customer who cant connect either.

Jfro · October 30, 2018, 3:26pm

IPv4 IPv6
native IPv4 IPv6
or a CGNAT ipv4
could give other results needed settings in firewalls only gues…

Maybe check and log ftp access with csf firewall of you can see ip’s that system … ports i don;t know if you see there…

jimdunn · October 30, 2018, 3:54pm

If you’re still having issues…

https://www.virtualmin.com/node/33537 suggests trying another ftp client.
http://www.proftpd.org/docs/howto/Debugging.html suggests enable debugging.
set up a 2nd vanilla server and see if you have the same issues as on problem server.
make copies of your csf.conf files, then copy the “newly installed” conf over to problem server and see if you have the same issues.

(also note that in /etc/proftpd/conf.d/virtualmin.conf port 2222 is also enabled by default)