I just installed CentOS4 on my main server. It runs proftpd and is not NATted.. When I did the install I said to allow FTP and HTTP. I can ftp from windows dos ftp client. In IE I get "Unable to build data connection: No route to host" ncftp I get.. Data connection timed out. Falling back to PORT instead of PASV mode. List failed. Wget and FireFox just time out. Anything I need to add to the firewall rules? This is all it has related to FTP. -A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPT
On Thu, 2005-07-07 at 16:55 -0700, Dave wrote:> I just installed CentOS4 on my main server. It runs proftpd and is not NATted.. > > When I did the install I said to allow FTP and HTTP. I can ftp from > windows dos ftp client. > > In IE I get "Unable to build data connection: No route to host" > > ncftp I get.. > Data connection timed out. > Falling back to PORT instead of PASV mode. > List failed. > > Wget and FireFox just time out. > > Anything I need to add to the firewall rules? This is all it has > related to FTP. > -A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPTYou need to load the ip_conntrack_ftp.ko module. You'll also need to open the ports for PASSV support. Some ftp servers let you pin those in the config. Sean
On Thu, 2005-07-07 at 16:55 -0700, Dave wrote:> I just installed CentOS4 on my main server. It runs proftpd and is not NATted.. > > When I did the install I said to allow FTP and HTTP. I can ftp from > windows dos ftp client. > > In IE I get "Unable to build data connection: No route to host" > > ncftp I get.. > Data connection timed out. > Falling back to PORT instead of PASV mode. > List failed. > > Wget and FireFox just time out. > > Anything I need to add to the firewall rules? This is all it has > related to FTP. > -A RH-Firewall-1-INPUT -p tcp -m state -m tcp --dport 21 --state NEW -j ACCEPTThese 2 will allow you to connect to port 80 ... if you are running httpd: -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT Here are the differences between passive mode and active mode FTP ... and why passive mode is probably best to set up on your server. http://slacksite.com/other/ftp.html You will need to allow the passive mode ftp ports you pick in as well ... if you picked 22222 to 22232 (you would need to set up your ftp server for passive mode ftp), then this should work: -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22222:22232 -j ACCEPT -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20050707/27ae885f/attachment-0002.sig>
On Thursday 07 July 2005 04:55 pm, Dave wrote:> I just installed CentOS4 on my main server. It runs proftpd and is > not NATted.. > > When I did the install I said to allow FTP and HTTP. I can ftp from > windows dos ftp client. > > In IE I get "Unable to build data connection: No route to host" > > ncftp I get.. > Data connection timed out. > Falling back to PORT instead of PASV mode. > List failed.You might want to look at the thread I started yesterday: ftp daemon problem I got some good help there from Barry Brimer. I did a bit of research on the 'net and discovered that my firewall (I use the "kiss" firewall, it's available on the net and is a front-end for creating a netfilter firewall using iptables)... ... was attempting to load: ip_conntrack_ftp.o which no longer exists; it's been renamed: ip_conntrack_ftp.ko So I changed one line in the kiss firewall, to load the right file, and presto, ftp works fine in both active and passive mode. Thanks, Barry, for leading me in the right direction, and I hope this helps you. Jeff -- Jeff Lasman, Nobaloney Internet Services 1254 So Waterman Ave., Suite 50, San Bernardino, CA 92408 Our blists address used on lists is for list email only Phone +1 909 266-9209, or see: "http://www.nobaloney.net/contactus.html"