0

I can't get vsftpd and firewalld to work together properly on CentOS 7 (without adding the passive range to the firewalld). Looks like firewalld ignores connection tracking (nf_conntrack_ftp is loaded but has 0 users). Is it correct that firewalld doesn't yet support connection tracking as suggested here?

In firewalld I have enabled the ftp service but while I can login and list I cannot upload files unless I stop the firewall or add an explicit passive range.

Firewalld command:

firewall-cmd --permanent --add-service=ftp

Resultant iptables rule:

-A IN_public_allow -p tcp -m tcp --dport 21 -m conntrack --ctstate NEW -j ACCEPT

Connection tracking module:

# lsmod | grep conntrack_ftp nf_conntrack_ftp 18638 0

ostergaard
  • 137
  • 2
  • 8
  • 1
    No, this _should_ work provided the module is loaded. If you inspect the actual iptables rules generated, you will see that they are already using conntrack. You should tell us about the actual problem you're having and provide some useful info (like the state of your firewall). – Michael Hampton Apr 14 '15 at 04:58
  • Thanks for your comment. However I did in fact say what the actual problem I am having is... Namely that, unless I add a passive range of IPs to the firewall, vsftpd doesn't work. What 'state of my firewall' would you like to see? – ostergaard Apr 14 '15 at 09:53

2 Answers2

2

I had the same problem using CentOS 8 and vsftpd. As mentioned in another post you have to load the kernel module "nf_conntrack_ftp" (which was already the case in CentOS 8) and enable "nf_conntrack_helper" in kernel settings:

echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper

Add this line to /etc/sysctl.conf (or /etc/sysctl.d/10-nf_conntrack_helper.conf when /etc/sysctl.d/ is present) for a reboot persistent setting:

net.netfilter.nf_conntrack_helper=1
h18c
  • 91
  • 6
1

I think you need to open ftp-data , tcp port 20

Antonio
  • 11
  • 1
  • Thanks but you're kind of missing the point. Firewalld comes with a pre-defined service for FTP and I can't get the predefined service to work properly. I've added the firewalld command to make that more explicit. – ostergaard Apr 16 '15 at 02:37
  • given that your answer doesn't actually address the question would you mind deleting it or something? – ostergaard Apr 24 '15 at 05:48
  • anything? Please! – ostergaard May 14 '15 at 05:00