FMorales
Contributor
Contributor

FTP connection refused with FTP client open port in ESX firewall

Jump to solution

Hello.

I have just installed a esx 3.5 U4. We have a FTP server where we all night make a copy of all ours VM.

This ESX cannot put the files in the FTP server .... I have open the FTP client port on the "Securiry Profile" -> firewall tab without problems and

I can connect with the FTP server ... but .... I can not make a LS for example, I can change to another folder, I have try with passive mode off and on ... but

it does not works.

Ftp server is working fine because others ESX are working with it, and I have make login from my windows XP with the same user/pass and it works ...

Any idea??

Thanks a lot

# ftp 192.168.18.15

Connected to 192.168.18.15 (192.168.18.15).

220 Welcome to xxxxxxxx

Name (192.168.18.15:morado): vmbk

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> cd backup

250 Directory successfully changed.

ftp> ls

227 Entering Passive Mode (192,168,18,15,72,91)

ftp: connect: Connection refused

ftp>

Francisco Morales López de Gamarra Vmware VCP | LPI - CCNA
Tags (2)
0 Kudos
1 Solution

Accepted Solutions
MKguy
Virtuoso
Virtuoso

Seems like the secondary TCP connection for the file transfer (which is also used during the directory listing) from the FTP client to the server is dropped. Have you tried completely disabling the firewall with esxcfg-firewall --allowOutgoing (might as well try esxcfg-firewall --allowIncoming, though it should not be needed in passive FTP)? This sets the iptables INPUT and OUTPUT chains to accept instead of drop.

I tried esxcfg-firewall -e ftpClient and it worked fine for me.

You could also post your OUTPUT chain settings from esxcfg-firewall -q.

-- http://alpacapowered.wordpress.com

View solution in original post

0 Kudos
6 Replies
MKguy
Virtuoso
Virtuoso

Seems like the secondary TCP connection for the file transfer (which is also used during the directory listing) from the FTP client to the server is dropped. Have you tried completely disabling the firewall with esxcfg-firewall --allowOutgoing (might as well try esxcfg-firewall --allowIncoming, though it should not be needed in passive FTP)? This sets the iptables INPUT and OUTPUT chains to accept instead of drop.

I tried esxcfg-firewall -e ftpClient and it worked fine for me.

You could also post your OUTPUT chain settings from esxcfg-firewall -q.

-- http://alpacapowered.wordpress.com
0 Kudos
FMorales
Contributor
Contributor

I try esxcfg-firewall -e ftpClient but it does not works....

BUT I make " esxcfg-firewall --allowOutgoing " and It WORKS ..... ?!?!?! it is logical but ..... when I open in the firewall FTP client ... It should not only open 21 port ... it should open 20 port to ...

Thansks a lot, now it is working

root# esxcfg-firewall -e ftpClient

# ftp 192.168.18.15

Connected to 192.168.18.15 (192.168.18.15).

220 Welcome to xxxxxx

Name (192.168.18.15:morales): vmbk

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

227 Entering Passive Mode (192,168,18,15,42,48)

ftp: connect: Connection refused

ftp>

Francisco Morales López de Gamarra

Vmware VCP | LPI - CCNA

Francisco Morales López de Gamarra Vmware VCP | LPI - CCNA
0 Kudos
MKguy
Virtuoso
Virtuoso

FTP in passive mode does not use port 20, but a high port somewhere above 1023. I would not recommend having the OUTPUT chain completely open by default, so you should change the default policy back to drop with esxcfg-firewall --blockOutgoing as soon as you are done.

Could you post the OUTPUT chain configuration with esxcfg-firewall -q after setting esxcfg-firewall --blockOutgoing and esxcfg-firewall -e ftpClient?

If I enable ftpClient it adds the following rule to the OUTPUT chain:

ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,RELATED

-- http://alpacapowered.wordpress.com
0 Kudos
stevesvt
Contributor
Contributor

When you applied U4, did you also install ESX350-200903202-UG?

With the latest round of patches my passive FTP now works.

0 Kudos
FMorales
Contributor
Contributor

Hello, it is not a update, it is a new one fresh installation.

I have another ESX 3.5 U3 ... so if I would update to U4, they could connect to my ftp server to.

Thaks you for the information.

-


Francisco Morales López de Gamarra

Vmware VCP | LPI - CCNA

Francisco Morales López de Gamarra Vmware VCP | LPI - CCNA
0 Kudos
FMorales
Contributor
Contributor

here is the esxcfg-firewall -q output

# esxcfg-firewall -q

Chain INPUT (policy DROP 3942 packets, 465K bytes)

pkts bytes target prot opt in out source destination

10712 42M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0

3281 599K valid-tcp-flags tcp -- * * 0.0.0.0/0 0.0.0. 0/0

3281 599K valid-source-address !udp -- * * 0.0.0.0/0 0 .0.0.0/0

4040 488K valid-source-address-udp udp -- * * 0.0.0.0/0 0.0.0.0/0

0 0 valid-source-address tcp -- * * 0.0.0.0/0 0 .0.0.0/0 tcp flags:0x16/0x02

0 0 icmp-in icmp -- * * 0.0.0.0/0 0.0.0.0/0

3317 601K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW

62 20336 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:427

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:427 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:5989 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW

Chain FORWARD (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target prot opt in out source destination

10712 42M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0

4403 3271K valid-tcp-flags tcp -- * * 0.0.0.0/0 0.0.0. 0/0

0 0 icmp-out icmp -- * * 0.0.0.0/0 0.0.0.0/0

36 2084 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:53

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:53

4397 3271K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spts:67:68 dpts:67:68

0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:427

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:427 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:902 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3260 state NEW

2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW

506 121K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:902 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27000 state NEW

0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:27010 state NEW

2 120 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 ctstate NEW,RELATED

2 120 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable

Chain icmp-in (1 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain icmp-out (1 references)

pkts bytes target prot opt in out source destination

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8

0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain log-and-drop (7 references)

pkts bytes target prot opt in out source destination

0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 7

0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain valid-source-address (2 references)

pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 127.0.0.1 0.0.0.0/0

0 0 DROP all -- * * 0.0.0.0/8 0.0.0.0/0

0 0 DROP all -- * * 0.0.0.0/0 255.255.255. 255

Chain valid-source-address-udp (1 references)

pkts bytes target prot opt in out source destination

0 0 DROP all -- * * 127.0.0.1 0.0.0.0/0

0 0 DROP all -- * * 0.0.0.0/8 0.0.0.0/0

Chain valid-tcp-flags (2 references)

pkts bytes target prot opt in out source destination

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x11/0x01

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x18/0x08

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x30/0x20

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06

0 0 log-and-drop tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x05/0x05

Incoming and outgoing ports blocked by default.

Enabled services: CIMSLP VCB swISCSIClient CIMHttpsServer sshClient vpxHeartbeat s LicenseClient ftpClient sshServer

Opened ports:

#

Francisco Morales López de Gamarra

Vmware VCP | LPI - CCNA

Francisco Morales López de Gamarra Vmware VCP | LPI - CCNA
0 Kudos