pzednik
Contributor
Contributor

ftpClient switch in esxcfg-firewall behaviour

when using an external ftp-server to put files there from an esx3 host, you have to open all outgoing connections!!!! by using esxcfg-firewall --allowOutgoing.

The switch esxcfg-firewall -enableService ftpClient does'nt work!!!! It opens only port 21, but the (dynamic) dataport are not opened.

It should be well documented and the ftpClient switch should be changed in behaviour or be removed! Also a KB Article should be written!

0 Kudos
4 Replies
Daryll
Expert
Expert

Hey there,

According to a couple of our top support engineers, it should not be nessecary to invoke esxcfg-firewall --allowOutgoing in order to perform the function you're trying to perform.

Since there's probably something specific to your environment going on, or some information missing from the problem description, we can't write a KB article or more documentation without a better understanding of the specific problem you're having. My suggestion would be to open a support ticket with VMware and have them look into this issue.

I'm going to move this posting to the ESX configuration forum for more comments.

-Daryll

0 Kudos
BUGCHK
Commander
Commander

Ah, that rings a bell.

I have seen that problem when I do a scripted installation and fetch some files from a Windows 2000 FTP servers during first-time boot.

The strange thing is that it does[/b] work sometime with the default firewall setup (ftpClient[/u] enabled, but --allowOutgoing[/u] not specified).

0 Kudos
Chiel
Enthusiast
Enthusiast

Have the same problem here...so a specific configuration?

There are numourous threads on this boards alone with firewall problems regarding FTP.

Sometimes it works with the default settings...but most of the time it doesn't.

I wrote a perl script to fetch some files from a W2k3 server. FTP is working fine on that server! Sometimes it will fetch the files just fine, but most of the time it fails the connection.

I just scripted to set --allowOutgoing for the duration of the script en close it when its done. But really, i should just work.

0 Kudos
pzednik
Contributor
Contributor

Hi Daryll,

before posting here, i had a techsupport case running (SR# 372562). The engineer told me, that me sight of the problem is correct and i should make a posting here!

When running a ftp transfer from the esx, the command 'esxcfg-firewall --enableService ftpClient' only opens the control port (tcp/21) but no data channel (neither in active nor in passive mode) will be opened. The port of the data channel is a random port defined by the client or the server (depending on passive or active mode) and is transmitted through the control channel.

Therefore the only way to get ftp running, is to use 'esxcfg-firewall allowOutgoing' because this opens all ports. So there is no real need for the switch 'ftpClient'.

-Peter

0 Kudos