Allowing passive FTP connections in FirewallD (CentOS 7)
In CentOS 7 which comes with FirewallD, enabling HTTP access was easy:
firewall-cmd --permanent --zone=public --add-service=http
However,
firewall-cmd --permanent --zone=public --add-service=ftp
doesn't work: the rule applies, but I can't access FTP by any means except disabling FirewallD.
Some diagnostic info:
- I have checked the service definition file (ftp.xml) and it makes use of nf_conntrack_ftp module.
- On my VPS the module is compiled into kernel (not separate) so it's not there via lsmod, but I can confirm it's there by this:
zgrep FTP /proc/config.gz
CONFIG_NF_CONNTRACK_FTP=y
CONFIG_NF_CONNTRACK_TFTP=y
CONFIG_NF_NAT_FTP=y
CONFIG_NF_NAT_TFTP=y
Solution 1:
I did not researched the issue throughly, so I do not understand the details, but it seems this has something to do with how the active - passive connections are setup both for vsftpd on the server and for the client (ex: Filezilla).
Basically you will need to:
- configure vsfptd passive mode by adding the following to /etc/vsftpd/vsftpd.conf:
pasv_enable=Yes pasv_max_port=40000 pasv_min_port=40000
- Restart vsftpd:
systemctl restart vsftpd.service
- Ope port 4000 in FirewallD:
firewall-cmd --permanent --add-port=40000/tcp firewall-cmd --reload
- Then I was able to connect with
lftp
. For setting Filezilla to use active mode check http://www.itzgeek.com/how-tos/linux/centos-how-tos/enable-passive-mode-in-ftp-on-centos-7-rhel-7-for-filezilla-and-winscp.html#axzz3X4loTCMi
Solution 2:
try:
edit /etc/vsftpd/vsftpd.conf
pasv_enable=YES
pasv_min_port=65400
pasv_max_port=65410
Then:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p TCP --dport 21 --sport 1024:65534 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p TCP --dport 65400:65410 --sport 1024:65534 -j ACCEPT
firewall-cmd --reload
firewall-cmd --permanent --direct --get-all-rules
I use vsftp server & FileZilla Client can working