Solved: Re: Can't allow 21 port (FTP, outgoing) - ESXi 5.5

shupike · ‎07-08-2016

Hi everybody! Faced with some trouble while trying to upload files to FTP. Need to allow 21 port (outgoing connection). But it's not worked and I don't understand why. Please look at this:

cd /etc/vmware/firewall

vi ftp_client.xml

<direction>outbound</direction>

</rule>

<direction>inbound</direction>

</rule>

<required>false</required>

</service>

</ConfigRoot>

So I refreshed all these rules:

esxcli network firewall refresh

And this is list of rules:

Name

Enabled

----------------------- -------

sshServer	true
sshClient	false
nfsClient	false
dhcp	true
dns	true
snmp	true
ntpClient	true
CIMHttpServer	true
CIMHttpsServer	true
CIMSLP	true
iSCSI	false
vpxHeartbeats	true
updateManager	false
faultTolerance	true
webAccess	true
vMotion	true
vSphereClient	true
activeDirectoryAll	false
NFC	true
HBR	true
ftpClient	false
httpClient	false
gdbserver	false
DVFilter	false
DHCPv6	true
DVSSync	true
syslog	false
IKED	false
WOL	true
vSPC	false
remoteSerialPort	false
vprobeServer	false
rdt	true
cmmds	true
vsanvp	true
rabbitmqproxy	true
ipfam	true
Trilead_Out_62000_65000	true
SMTPout-25	false
Trilead_In_62000_65000	true
ftp	true

As you can see - my new rule has been added and it's active. But - anyway - I can't connect to FTP through 21 port. So I should disable firewall any time I'm trying to upload files:

esxcli network firewall unload

How can I allow 21 port? What is the problem with my rules - how do you think? Thank you for answers.

MKguy · ‎07-08-2016

There is already a builtin rule for outgoing FTP client access. You do not need to define your own rule, and this might cause a conflict in your configuration (also remember FTP needs another data channel port):

# esxcli network firewall ruleset list | grep -i ftp

ftpClient false

# esxcli network firewall ruleset rule list | grep -i ftp

ftpClient Outbound TCP Dst 21 21

ftpClient Inbound TCP Src 20 20

In your output the rule is disabled. Remove your custom rule and just enable this builtin rule, this should work fine:

# esxcli network firewall ruleset set --enabled true --ruleset-id ftpClient

# /etc/vmware/firewall # esxcli network firewall ruleset list | grep -i ftp

ftpClient true

# nc -v ftp.someftpserver.com 21

Connection to ftp.someftpserver.com 21 port [tcp/ftp] succeeded!

USER anonymous

331 Please specify the password.

PASS secret

230 Login successful.

PASV

227 Entering Passive Mode.

PWD

257 "/"

QUIT

221 Goodbye.

This builtin service is defined in the default ESXi firewall configuration in /etc/vmware/firewall/service.xml.

<service id='0021'>

    <id>ftpClient</id>

    <rule id='0000'>

      <direction>outbound</direction>

      <protocol>tcp</protocol>

      <porttype>dst</porttype>

      <port>21</port>

    </rule>

    <rule id='0001'>

      <direction>inbound</direction>

      <protocol>tcp</protocol>

      <porttype>src</porttype>

      <port>20</port>

    </rule>

    <enabled>false</enabled>

    <required>false</required>

</service>

-- http://alpacapowered.wordpress.com

View solution in original post

ubhatti1985 · ‎07-08-2016

Hi,

Have you allowed incoming port 20 and outgoing port 21?

Thanks

Umar

MKguy · ‎07-08-2016

There is already a builtin rule for outgoing FTP client access. You do not need to define your own rule, and this might cause a conflict in your configuration (also remember FTP needs another data channel port):

# esxcli network firewall ruleset list | grep -i ftp

ftpClient false

# esxcli network firewall ruleset rule list | grep -i ftp

ftpClient Outbound TCP Dst 21 21

ftpClient Inbound TCP Src 20 20

In your output the rule is disabled. Remove your custom rule and just enable this builtin rule, this should work fine:

# esxcli network firewall ruleset set --enabled true --ruleset-id ftpClient

# /etc/vmware/firewall # esxcli network firewall ruleset list | grep -i ftp

ftpClient true

# nc -v ftp.someftpserver.com 21

Connection to ftp.someftpserver.com 21 port [tcp/ftp] succeeded!

USER anonymous

331 Please specify the password.

PASS secret

230 Login successful.

PASV

227 Entering Passive Mode.

PWD

257 "/"

QUIT

221 Goodbye.

This builtin service is defined in the default ESXi firewall configuration in /etc/vmware/firewall/service.xml.

<service id='0021'>

    <id>ftpClient</id>

    <rule id='0000'>

      <direction>outbound</direction>

      <protocol>tcp</protocol>

      <porttype>dst</porttype>

      <port>21</port>

    </rule>

    <rule id='0001'>

      <direction>inbound</direction>

      <protocol>tcp</protocol>

      <porttype>src</porttype>

      <port>20</port>

    </rule>

    <enabled>false</enabled>

    <required>false</required>

</service>

-- http://alpacapowered.wordpress.com

shupike · ‎07-08-2016

Thank you very much, now it's connecting to my FTP, but: still no results with ftpput utility (Busybox). I have no idea why it can't connect to FTP-server even if ftpClient=true. It's very strange - when I'm disabling firewall - ftpput is OK. But failed with enabled firewall and 20-21 ports allowed. May be it needs some additional ports - how do you think?

Some screenshots:

-----------------------------------

nc -v 192.168.0.11 21

Connection to 192.168.0.11 21 port [tcp/ftp] succeeded!

220 Microsoft FTP Service

-----------------------------------

esxcli network firewall ruleset list | grep -i ftp

ftpClient true

----------------------------------

"/vmfs/volumes/datastore1/ftpput/ftpput" -u user12 -p 1234567 192.168.0.11 domain_machine.gz /vmfs/volumes/datanew/backup/domain_machine.gz

ftpput: can't connect to remote host (192.168.0.11): Connection timed out

----------------------------------

So this is a main problem... What can you suggest?

shupike · ‎07-11-2016

Seems to me problem is in FTP passive mode - I need to allow wide range of passive mode ports... Do you know what exactly range should I allow in my firewall?

This is section of my /etc/vmware/firewall/service.xml:

<id>ftpClient</id>

<direction>outbound</direction>

</rule>

<direction>inbound</direction>

</rule>

<enabled>false</enabled>

<required>false</required>

</service>

As you can see this is for active mode only. And I think I should add new section with new port range - do you have some example, please?

MKguy · ‎07-11-2016

For passive mode FTP, the port range for data connections depends entirely on the server and can't be controlled form the client.

The client just tells the server it wants to enter passive mode, and the server opens a dynamic port listener itself and notifies the client of this port in the control channel. Unless you have access to the FTP server configuration, there is no way to predict or configure the port range being used.

You could allow all outgoing high-ports (1024-65535) just to the destination IP of the FTP server, if you want to restrict the traffic.

Or you could just use active FTP in this case, there are little disadvantages over passive mode in this day and age.

-- http://alpacapowered.wordpress.com

All

Can't allow 21 port (FTP, outgoing) - ESXi 5.5