I'm reposting the original message hoping to get a response this time.

All I want to do is ftp between a RH9 machine (the server) and a
Fedora 2 machine (the client).

I'm pretty sure it is a firewall problem with the client machine and
the way ftp uses random port numbers.


------Original post-------
I've been trying to ftp between a fedora box and a RH9 box.  The RH9
box is running the default ftpd and I'm using the default console ftp
client on the fedora box.

I can login fine but when I try to "ls" I get:

227 Entering Passive Mode (*.*.*.*.208.243)
ftp: connect: Connection refused

the asterisks are the IP address of the server.

On both machines I have the ftp box checked in the graphical security
settings app.

When I boot the client machine into OS/2 and use the default text mode
client that it has I have no problem, so it's obviously a client
problem.

I've posted this problem twice before and not gotten a working
solution.  Please help.
-------end original post-----------

Now it is the third time.  If no one on this group knows how to fix
the problem please tell me of a group that is read by people who do.


--
Mark Heaely
marknews(at)healeyonline(dot)com

[ Post a follow-up to this message ]

On Sat, 13 Nov 2004 05:09:49 +0000, Mark Healey wrote:

> I'm reposting the original message hoping to get a response this time.
>
> All I want to do is ftp between a RH9 machine (the server) and a Fedora 2
> machine (the client).
>
> I'm pretty sure it is a firewall problem with the client machine and the
> way ftp uses random port numbers.

Have you tried confirming that by turning off the firewall?

--
"No oppression is so heavy or lasting as that which is inflicted by
the perversion and exorbitance of legal authority."
i.m.

[ Post a follow-up to this message ]

On Mon, 15 Nov 2004 19:57:40 UTC, "Ivan Marsh" <annoyed@you.now>
wrote:

> On Sat, 13 Nov 2004 05:09:49 +0000, Mark Healey wrote:
> 
>
> Have you tried confirming that by turning off the firewall?

I turn it off on the Fedora (client) box and it works in active mode
but not passive?


--
Mark Healey
marknews(at)healeyonline(dot)com

[ Post a follow-up to this message ]

On Sat, 20 Nov 2004 16:36:06 +0000, Mark Healey wrote:

> On Mon, 15 Nov 2004 19:57:40 UTC, "Ivan Marsh" <annoyed@you.now> wrote:
> 
>
> I turn it off on the Fedora (client) box and it works in active mode but
> not passive?

Do you need it to work in passive mode?

Adjust as needed:

$INTERNET="eth0"
$UNPRIVPORTS="1024:65535"
$CLASS_C="192.168.0.0/16"

 ########################################
####################################
####
# FTP TRAFFIC
 ########################################
####################################
####
echo 'Allowing outgoing FTP requests.'

# Outgoing control connection to port 21
iptables -A OUTPUT -o $INTERNET -p tcp --sport $UNPRIVPORTS --dport 21 -j AC
CEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 21 --dport $UNPRIVPORT
S -j ACCEPT

# Incoming port mode data channel connection from port 20
iptables -A INPUT -i $INTERNET -p tcp --sport 20 --dport $UNPRIVPORTS -j ACC
EPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS --dport 
20 -j ACCEPT

# Outgoing passive mode data channel connection between unprivleged ports
iptables -A OUTPUT -o $INTERNET -p tcp --sport $UNPRIVPORTS --dport $UNPRIVP
ORTS -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS --dport $
UNPRIVPORTS -j ACCEPT

echo 'Allowing incoming FTP requests.'

# Incoming control connection to port 21
iptables -A INPUT -i $INTERNET -p tcp -s $CLASS_C --sport $UNPRIVPORTS --dpo
rt 21 -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport 21 -d $CLASS_C --dpor
t $UNPRIVPORTS -j ACCEPT

# Outgoing port mode data channel connection to port 20
iptables -A OUTPUT -o $INTERNET -p tcp --sport 20 -d $CLASS_C --dport $UNPRI
VPORTS -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp ! --syn -s $CLASS_C --sport $UNPRIVPOR
TS --dport 20 -j ACCEPT

# Incoming passive mode data channel connection between unprivleged ports
iptables -A INPUT -i $INTERNET -p tcp -s $CLASS_C --sport $UNPRIVPORTS --dpo
rt $UNPRIVPORTS -j ACCEPT
iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS -d $CLAS
S_C --dport $UNPRIVPORTS -j ACCEPT


--
"No oppression is so heavy or lasting as that which is inflicted by
the perversion and exorbitance of legal authority."
i.m.

[ Post a follow-up to this message ]

On Mon, 22 Nov 2004 17:12:39 UTC, "Ivan Marsh" <annoyed@you.now>
wrote:

> On Sat, 20 Nov 2004 16:36:06 +0000, Mark Healey wrote:
> 
>
> Do you need it to work in passive mode?
>
> Adjust as needed:
>
> $INTERNET="eth0"
> $UNPRIVPORTS="1024:65535"
> $CLASS_C="192.168.0.0/16"
>
>  ########################################
##################################
######
> # FTP TRAFFIC
>  ########################################
##################################
######
> echo 'Allowing outgoing FTP requests.'
>
> # Outgoing control connection to port 21
> iptables -A OUTPUT -o $INTERNET -p tcp --sport $UNPRIVPORTS --dport 21 -j 
ACCEPT
> iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport 21 --dport $UNPRIVPO
RTS -j ACCEPT
>
> # Incoming port mode data channel connection from port 20
> iptables -A INPUT -i $INTERNET -p tcp --sport 20 --dport $UNPRIVPORTS -j A
CCEPT
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS --dpor
t 20 -j ACCEPT
>
> # Outgoing passive mode data channel connection between unprivleged ports
> iptables -A OUTPUT -o $INTERNET -p tcp --sport $UNPRIVPORTS --dport $UNPRI
VPORTS -j ACCEPT
> iptables -A INPUT -i $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS --dport
 $UNPRIVPORTS -j ACCEPT
>
> echo 'Allowing incoming FTP requests.'
>
> # Incoming control connection to port 21
> iptables -A INPUT -i $INTERNET -p tcp -s $CLASS_C --sport $UNPRIVPORTS --d
port 21 -j ACCEPT
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport 21 -d $CLASS_C --dp
ort $UNPRIVPORTS -j ACCEPT
>
> # Outgoing port mode data channel connection to port 20
> iptables -A OUTPUT -o $INTERNET -p tcp --sport 20 -d $CLASS_C --dport $UNP
RIVPORTS -j ACCEPT
> iptables -A INPUT -i $INTERNET -p tcp ! --syn -s $CLASS_C --sport $UNPRIVP
ORTS --dport 20 -j ACCEPT
>
> # Incoming passive mode data channel connection between unprivleged ports
> iptables -A INPUT -i $INTERNET -p tcp -s $CLASS_C --sport $UNPRIVPORTS --d
port $UNPRIVPORTS -j ACCEPT
> iptables -A OUTPUT -o $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS -d $CLASS_C --
dport $UNPRIVPORTS -j ACCEPT

I'm guessing that I add these lines to /etc/sysconfig/iptables?

Are the:

> $INTERNET="eth0"
> $UNPRIVPORTS="1024:65535"
> $CLASS_C="192.168.0.0/16"

lines some kind of variable definitions?


--
Mark Healey
marknews(at)healeyonline(dot)com

[ Post a follow-up to this message ]

On Tue, 23 Nov 2004 06:54:23 +0000, Mark Healey wrote:

> On Mon, 22 Nov 2004 17:12:39 UTC, "Ivan Marsh" <annoyed@you.now> wrote: 
>
> I'm guessing that I add these lines to /etc/sysconfig/iptables?

No. That's part of a bash script. You can make it executeable and run it.
Then run "service iptables save".

> Are the:
> 
>
> lines some kind of variable definitions?

Yes.

--
"No oppression is so heavy or lasting as that which is inflicted by
the perversion and exorbitance of legal authority."
i.m.

[ Post a follow-up to this message ]

On Tue, 23 Nov 2004 17:49:29 UTC, "Ivan Marsh" <annoyed@you.now>
wrote:
[vbcol=seagreen]
> On Tue, 23 Nov 2004 06:54:23 +0000, Mark Healey wrote:
> 

I just got lazy.  I figured out enough of the rules descriptions to
modifile /etc/sysconfig/iptables to allow any traffic from machines I
trust.


--
Mark Healey
marknews(at)healeyonline(dot)com

[ Post a follow-up to this message ]