shupike
Enthusiast
Enthusiast

Can't allow 21 port (FTP, outgoing) - ESXi 5.5

Jump to solution

Hi everybody! Faced with some trouble while trying to upload files to FTP. Need to allow 21 port (outgoing connection). But it's not worked and I don't understand why. Please look at this:

cd /etc/vmware/firewall

vi ftp_client.xml

<!-- Firewall configuration information for FTP -->

<ConfigRoot>

<service>

   <id>ftp</id>

     <rule id='0000'>

       <direction>outbound</direction>

          <protocol>tcp</protocol>

             <porttype>dst</porttype>

               <port>21</port>

     </rule>

       <rule id='0001'>

       <direction>inbound</direction>

         <protocol>tcp</protocol>

            <porttype>dst</porttype>

                  <port>21</port>

       </rule>

       <enabled>true</enabled>

        <required>false</required>

   </service>

</ConfigRoot>

So I refreshed all these rules:

esxcli network firewall refresh

And this is list of rules:

Name                

Enabled

-----------------------  -------

sshServer               true
sshClient              false
nfsClient              false
dhcp                    true
dns                     true
snmp                    true
ntpClient               true
CIMHttpServer           true
CIMHttpsServer          true
CIMSLP                  true
iSCSI                  false
vpxHeartbeats           true
updateManager          false
faultTolerance          true
webAccess               true
vMotion                 true
vSphereClient           true
activeDirectoryAll     false
NFC                     true
HBR                     true
ftpClient              false
httpClient             false
gdbserver              false
DVFilter               false
DHCPv6                  true
DVSSync                 true
syslog                 false
IKED                   false
WOL                     true
vSPC                   false
remoteSerialPort       false
vprobeServer           false
rdt                     true
cmmds                   true
vsanvp                  true
rabbitmqproxy           true
ipfam                   true
Trilead_Out_62000_65000 true
SMTPout-25             false
Trilead_In_62000_65000  true
ftp                     true

As you can see - my new rule has been added and it's active. But - anyway - I can't connect to FTP through 21 port. So I should disable firewall any time I'm trying to upload files:

esxcli network firewall unload

How can I allow 21 port? What is the problem with my rules - how do you think? Thank you for answers.

0 Kudos
1 Solution

Accepted Solutions
MKguy
Virtuoso
Virtuoso

There is already a builtin rule for outgoing FTP client access. You do not need to define your own rule, and this might cause a conflict in your configuration (also remember FTP needs another data channel port):

# esxcli network firewall ruleset list | grep -i ftp

ftpClient             false

# esxcli network firewall ruleset rule list | grep -i ftp

ftpClient           Outbound   TCP       Dst                21        21

ftpClient           Inbound    TCP       Src                20        20

In your output the rule is disabled. Remove your custom rule and just enable this builtin rule, this should work fine:

# esxcli network firewall ruleset set --enabled true --ruleset-id ftpClient

# /etc/vmware/firewall # esxcli network firewall ruleset list | grep -i ftp

ftpClient              true

# nc -v ftp.someftpserver.com 21

Connection to ftp.someftpserver.com 21 port [tcp/ftp] succeeded!

USER anonymous

331 Please specify the password.

PASS secret

230 Login successful.

PASV

227 Entering Passive Mode.

PWD

257 "/"

QUIT

221 Goodbye.

This builtin service is defined in the default ESXi firewall configuration in /etc/vmware/firewall/service.xml.

  <!-- Just for active mode ftp access -->

  <service id='0021'>

    <id>ftpClient</id>

    <rule id='0000'>

      <direction>outbound</direction>

      <protocol>tcp</protocol>

      <porttype>dst</porttype>

      <port>21</port>

    </rule>

    <rule id='0001'>

      <direction>inbound</direction>

      <protocol>tcp</protocol>

      <porttype>src</porttype>

      <port>20</port>

    </rule>

    <enabled>false</enabled>

    <required>false</required>

  </service>

-- http://alpacapowered.wordpress.com

View solution in original post

0 Kudos
5 Replies
ubhatti1985
Contributor
Contributor

Hi,

Have you allowed incoming port 20 and outgoing port 21?

Thanks

Umar

0 Kudos
MKguy
Virtuoso
Virtuoso

There is already a builtin rule for outgoing FTP client access. You do not need to define your own rule, and this might cause a conflict in your configuration (also remember FTP needs another data channel port):

# esxcli network firewall ruleset list | grep -i ftp

ftpClient             false

# esxcli network firewall ruleset rule list | grep -i ftp

ftpClient           Outbound   TCP       Dst                21        21

ftpClient           Inbound    TCP       Src                20        20

In your output the rule is disabled. Remove your custom rule and just enable this builtin rule, this should work fine:

# esxcli network firewall ruleset set --enabled true --ruleset-id ftpClient

# /etc/vmware/firewall # esxcli network firewall ruleset list | grep -i ftp

ftpClient              true

# nc -v ftp.someftpserver.com 21

Connection to ftp.someftpserver.com 21 port [tcp/ftp] succeeded!

USER anonymous

331 Please specify the password.

PASS secret

230 Login successful.

PASV

227 Entering Passive Mode.

PWD

257 "/"

QUIT

221 Goodbye.

This builtin service is defined in the default ESXi firewall configuration in /etc/vmware/firewall/service.xml.

  <!-- Just for active mode ftp access -->

  <service id='0021'>

    <id>ftpClient</id>

    <rule id='0000'>

      <direction>outbound</direction>

      <protocol>tcp</protocol>

      <porttype>dst</porttype>

      <port>21</port>

    </rule>

    <rule id='0001'>

      <direction>inbound</direction>

      <protocol>tcp</protocol>

      <porttype>src</porttype>

      <port>20</port>

    </rule>

    <enabled>false</enabled>

    <required>false</required>

  </service>

-- http://alpacapowered.wordpress.com
0 Kudos
shupike
Enthusiast
Enthusiast

Thank you very much, now it's connecting to my FTP, but: still no results with ftpput utility (Busybox). I have no idea why it can't connect to FTP-server even if ftpClient=true. It's very strange - when I'm disabling firewall - ftpput is OK. But failed with enabled firewall and 20-21 ports allowed. May be it needs some additional ports - how do you think?

Some screenshots:

-----------------------------------

nc -v 192.168.0.11 21

Connection to 192.168.0.11 21 port [tcp/ftp] succeeded!

220 Microsoft FTP Service

-----------------------------------

esxcli network firewall ruleset  list | grep -i ftp

ftpClient                   true

----------------------------------

"/vmfs/volumes/datastore1/ftpput/ftpput" -u user12 -p 1234567 192.168.0.11 domain_machine.gz /vmfs/volumes/datanew/backup/domain_machine.gz

ftpput: can't connect to remote host (192.168.0.11): Connection timed out

----------------------------------

So this is a main problem... What can you suggest?

0 Kudos
shupike
Enthusiast
Enthusiast

Seems to me problem is in FTP passive mode - I need to allow wide range of passive mode ports... Do you know what exactly range should I allow in my firewall?

This is section of my  /etc/vmware/firewall/service.xml:

<!-- Just for active mode ftp access -->

  <service id='0021'>

    <id>ftpClient</id>

    <rule id='0000'>

      <direction>outbound</direction>

      <protocol>tcp</protocol>

      <porttype>dst</porttype>

      <port>21</port>

    </rule>

    <rule id='0001'>

      <direction>inbound</direction>

      <protocol>tcp</protocol>

      <porttype>src</porttype>

      <port>20</port>

    </rule>

    <enabled>false</enabled>

    <required>false</required>

  </service>

As you can see this is for active mode only. And I think I should add new section with new port range - do you have some example, please?

0 Kudos
MKguy
Virtuoso
Virtuoso

For passive mode FTP, the port range for data connections depends entirely on the server and can't be controlled form the client.

The client just tells the server it wants to enter passive mode, and the server opens a dynamic port listener itself and notifies the client of this port in the control channel. Unless you have access to the FTP server configuration, there is no way to predict or configure the port range being used.

You could allow all outgoing high-ports (1024-65535) just to the destination IP of the FTP server, if you want to restrict the traffic.

Or you could just use active FTP in this case, there are little disadvantages over passive mode in this day and age.

-- http://alpacapowered.wordpress.com
0 Kudos