Hi everybody! Faced with some trouble while trying to upload files to FTP. Need to allow 21 port (outgoing connection). But it's not worked and I don't understand why. Please look at this:
cd /etc/vmware/firewall
vi ftp_client.xml
<!-- Firewall configuration information for FTP -->
<ConfigRoot>
<service>
<id>ftp</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>21</port>
</rule>
<rule id='0001'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>21</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
So I refreshed all these rules:
esxcli network firewall refresh
And this is list of rules:
Name
Enabled |
----------------------- -------
sshServer | true |
sshClient | false |
nfsClient | false |
dhcp | true |
dns | true |
snmp | true |
ntpClient | true |
CIMHttpServer | true |
CIMHttpsServer | true |
CIMSLP | true |
iSCSI | false |
vpxHeartbeats | true |
updateManager | false |
faultTolerance | true |
webAccess | true |
vMotion | true |
vSphereClient | true |
activeDirectoryAll | false |
NFC | true |
HBR | true |
ftpClient | false |
httpClient | false |
gdbserver | false |
DVFilter | false |
DHCPv6 | true |
DVSSync | true |
syslog | false |
IKED | false |
WOL | true |
vSPC | false |
remoteSerialPort | false |
vprobeServer | false |
rdt | true |
cmmds | true |
vsanvp | true |
rabbitmqproxy | true |
ipfam | true |
Trilead_Out_62000_65000 | true |
SMTPout-25 | false |
Trilead_In_62000_65000 | true |
ftp | true |
As you can see - my new rule has been added and it's active. But - anyway - I can't connect to FTP through 21 port. So I should disable firewall any time I'm trying to upload files:
esxcli network firewall unload
How can I allow 21 port? What is the problem with my rules - how do you think? Thank you for answers.
There is already a builtin rule for outgoing FTP client access. You do not need to define your own rule, and this might cause a conflict in your configuration (also remember FTP needs another data channel port):
# esxcli network firewall ruleset list | grep -i ftp
ftpClient false
# esxcli network firewall ruleset rule list | grep -i ftp
ftpClient Outbound TCP Dst 21 21
ftpClient Inbound TCP Src 20 20
In your output the rule is disabled. Remove your custom rule and just enable this builtin rule, this should work fine:
# esxcli network firewall ruleset set --enabled true --ruleset-id ftpClient
# /etc/vmware/firewall # esxcli network firewall ruleset list | grep -i ftp
ftpClient true
# nc -v ftp.someftpserver.com 21
Connection to ftp.someftpserver.com 21 port [tcp/ftp] succeeded!
USER anonymous
331 Please specify the password.
PASS secret
230 Login successful.
PASV
227 Entering Passive Mode.
PWD
257 "/"
QUIT
221 Goodbye.
This builtin service is defined in the default ESXi firewall configuration in /etc/vmware/firewall/service.xml.
<!-- Just for active mode ftp access -->
<service id='0021'>
<id>ftpClient</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>21</port>
</rule>
<rule id='0001'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>src</porttype>
<port>20</port>
</rule>
<enabled>false</enabled>
<required>false</required>
</service>
Hi,
Have you allowed incoming port 20 and outgoing port 21?
Thanks
Umar
There is already a builtin rule for outgoing FTP client access. You do not need to define your own rule, and this might cause a conflict in your configuration (also remember FTP needs another data channel port):
# esxcli network firewall ruleset list | grep -i ftp
ftpClient false
# esxcli network firewall ruleset rule list | grep -i ftp
ftpClient Outbound TCP Dst 21 21
ftpClient Inbound TCP Src 20 20
In your output the rule is disabled. Remove your custom rule and just enable this builtin rule, this should work fine:
# esxcli network firewall ruleset set --enabled true --ruleset-id ftpClient
# /etc/vmware/firewall # esxcli network firewall ruleset list | grep -i ftp
ftpClient true
# nc -v ftp.someftpserver.com 21
Connection to ftp.someftpserver.com 21 port [tcp/ftp] succeeded!
USER anonymous
331 Please specify the password.
PASS secret
230 Login successful.
PASV
227 Entering Passive Mode.
PWD
257 "/"
QUIT
221 Goodbye.
This builtin service is defined in the default ESXi firewall configuration in /etc/vmware/firewall/service.xml.
<!-- Just for active mode ftp access -->
<service id='0021'>
<id>ftpClient</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>21</port>
</rule>
<rule id='0001'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>src</porttype>
<port>20</port>
</rule>
<enabled>false</enabled>
<required>false</required>
</service>
Thank you very much, now it's connecting to my FTP, but: still no results with ftpput utility (Busybox). I have no idea why it can't connect to FTP-server even if ftpClient=true. It's very strange - when I'm disabling firewall - ftpput is OK. But failed with enabled firewall and 20-21 ports allowed. May be it needs some additional ports - how do you think?
Some screenshots:
-----------------------------------
nc -v 192.168.0.11 21
Connection to 192.168.0.11 21 port [tcp/ftp] succeeded!
220 Microsoft FTP Service
-----------------------------------
esxcli network firewall ruleset list | grep -i ftp
ftpClient true
----------------------------------
"/vmfs/volumes/datastore1/ftpput/ftpput" -u user12 -p 1234567 192.168.0.11 domain_machine.gz /vmfs/volumes/datanew/backup/domain_machine.gz
ftpput: can't connect to remote host (192.168.0.11): Connection timed out
----------------------------------
So this is a main problem... What can you suggest?
Seems to me problem is in FTP passive mode - I need to allow wide range of passive mode ports... Do you know what exactly range should I allow in my firewall?
This is section of my /etc/vmware/firewall/service.xml:
<!-- Just for active mode ftp access -->
<service id='0021'>
<id>ftpClient</id>
<rule id='0000'>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>21</port>
</rule>
<rule id='0001'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>src</porttype>
<port>20</port>
</rule>
<enabled>false</enabled>
<required>false</required>
</service>
As you can see this is for active mode only. And I think I should add new section with new port range - do you have some example, please?
For passive mode FTP, the port range for data connections depends entirely on the server and can't be controlled form the client.
The client just tells the server it wants to enter passive mode, and the server opens a dynamic port listener itself and notifies the client of this port in the control channel. Unless you have access to the FTP server configuration, there is no way to predict or configure the port range being used.
You could allow all outgoing high-ports (1024-65535) just to the destination IP of the FTP server, if you want to restrict the traffic.
Or you could just use active FTP in this case, there are little disadvantages over passive mode in this day and age.