Hello.
I have just installed a esx 3.5 U4. We have a FTP server where we all night make a copy of all ours VM.
This ESX cannot put the files in the FTP server .... I have open the FTP client port on the "Securiry Profile" -> firewall tab without problems and
I can connect with the FTP server ... but .... I can not make a LS for example, I can change to another folder, I have try with passive mode off and on ... but
it does not works.
Ftp server is working fine because others ESX are working with it, and I have make login from my windows XP with the same user/pass and it works ...
Any idea??
Thanks a lot
Connected to 192.168.18.15 (192.168.18.15).
220 Welcome to xxxxxxxx
Name (192.168.18.15:morado): vmbk
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd backup
250 Directory successfully changed.
ftp> ls
227 Entering Passive Mode (192,168,18,15,72,91)
ftp: connect: Connection refused
ftp>
Seems like the secondary TCP connection for the file transfer (which is also used during the directory listing) from the FTP client to the server is dropped. Have you tried completely disabling the firewall with esxcfg-firewall --allowOutgoing (might as well try esxcfg-firewall --allowIncoming, though it should not be needed in passive FTP)? This sets the iptables INPUT and OUTPUT chains to accept instead of drop.
I tried esxcfg-firewall -e ftpClient and it worked fine for me.
You could also post your OUTPUT chain settings from esxcfg-firewall -q.
Seems like the secondary TCP connection for the file transfer (which is also used during the directory listing) from the FTP client to the server is dropped. Have you tried completely disabling the firewall with esxcfg-firewall --allowOutgoing (might as well try esxcfg-firewall --allowIncoming, though it should not be needed in passive FTP)? This sets the iptables INPUT and OUTPUT chains to accept instead of drop.
I tried esxcfg-firewall -e ftpClient and it worked fine for me.
You could also post your OUTPUT chain settings from esxcfg-firewall -q.
I try esxcfg-firewall -e ftpClient but it does not works....
BUT I make " esxcfg-firewall --allowOutgoing " and It WORKS ..... ?!?!?! it is logical but ..... when I open in the firewall FTP client ... It should not only open 21 port ... it should open 20 port to ...
Thansks a lot, now it is working
root# esxcfg-firewall -e ftpClient
Connected to 192.168.18.15 (192.168.18.15).
220 Welcome to xxxxxx
Name (192.168.18.15:morales): vmbk
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,18,15,42,48)
ftp: connect: Connection refused
ftp>
Francisco Morales López de Gamarra
Vmware VCP | LPI - CCNA
FTP in passive mode does not use port 20, but a high port somewhere above 1023. I would not recommend having the OUTPUT chain completely open by default, so you should change the default policy back to drop with esxcfg-firewall --blockOutgoing as soon as you are done.
Could you post the OUTPUT chain configuration with esxcfg-firewall -q after setting esxcfg-firewall --blockOutgoing and esxcfg-firewall -e ftpClient?
If I enable ftpClient it adds the following rule to the OUTPUT chain:
ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,RELATED
When you applied U4, did you also install ESX350-200903202-UG?
With the latest round of patches my passive FTP now works.
Hello, it is not a update, it is a new one fresh installation.
I have another ESX 3.5 U3 ... so if I would update to U4, they could connect to my ftp server to.
Thaks you for the information.
-
Francisco Morales López de Gamarra
Vmware VCP | LPI - CCNA
here is the esxcfg-firewall -q output
Chain INPUT (policy DROP 3942 packets, 465K bytes)
pkts bytes target prot opt in out source destination
10712 42M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3281 599K valid-tcp-flags tcp -- * * 0.0.0.0/0 0.0.0. 0/0
3281 599K valid-source-address !udp -- * * 0.0.0.0/0 0 .0.0.0/0
4040 488K valid-source-address-udp udp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 valid-source-address tcp -- * * 0.0.0.0/0 0 .0.0.0/0 tcp flags:0x16/0x02
0 0 icmp-in icmp -- * * 0.0.0.0/0 0.0.0.0/0
3317 601K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
62 20336 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:427
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:427 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5989 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
10712 42M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
4403 3271K valid-tcp-flags tcp -- * * 0.0.0.0/0 0.0.0. 0/0
0 0 icmp-out icmp -- * * 0.0.0.0/0 0.0.0.0/0
36 2084 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53
4397 3271K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:427
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:427 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3260 state NEW
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
506 121K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:902 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27000 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27010 state NEW
2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,RELATED
2 120 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain icmp-in (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain icmp-out (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain log-and-drop (7 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain valid-source-address (2 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/8 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/0 255.255.255. 255
Chain valid-source-address-udp (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- * * 0.0.0.0/8 0.0.0.0/0
Chain valid-tcp-flags (2 references)
pkts bytes target prot opt in out source destination
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05
Incoming and outgoing ports blocked by default.
Enabled services: CIMSLP VCB swISCSIClient CIMHttpsServer sshClient vpxHeartbeat s LicenseClient ftpClient sshServer
Opened ports:
Francisco Morales López de Gamarra
Vmware VCP | LPI - CCNA