CSF + nftables - FTP Passive behaviour
Posted: 15 Dec 2021, 19:11
Hi All,
We have seen a behaviour in all "CloudLinux 8" servers with the introduction of nftables with iptables with connections using PASV.
To this test, we have ensured that on TCP_IN ports for FTP are defined between 50000-59000 and Pure-FTPD configured to use that ports.
With CSF enabled, when we try to connect to a remote FTP and it tries to list directories, this is the result:
# ftp transfer.xxxxxxx.com
Connected to transfer.xxxxxxx.com (XX.XXXX.XXXX.XXX).
220 Welcome to FTP Server
Name (transfer.xxxxxxx.com:root): user
331 User name okay, need password for user.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (XX,XXX,XXX,XXX,192,4)
ftp: connect: Connection refused
ftp> quit
221 Goodbye.
#
On dmesg, this is the result
server kernel: Firewall: *TCP_IN Blocked* IN=eno1 OUT= MAC=XXXXX SRC=(FTP_DESTINATION_IP) DST=(THIS_SERVER) LEN=52 TOS=0x02 PREC=0x00 TTL=110 ID=31020 DF PROTO=TCP SPT=20 DPT=60229 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
If we disable the Firewall, the connection is done with success.
In TCP_OUT we are not adding the Passive Ports. The same on other CloudLinux 7 and works fine.
So, TCP_OUT without Passive Ports for FTP in CL7 or CL6 works perfectly for ftp connections but on CL8 fails. We tested this behaviour in 4 x CL8 servers and 6 x CL7 servers.
This is know or any suggestion that not result in adding the Passive Ports in TCP_OUT ?
Kind Regards,
We have seen a behaviour in all "CloudLinux 8" servers with the introduction of nftables with iptables with connections using PASV.
To this test, we have ensured that on TCP_IN ports for FTP are defined between 50000-59000 and Pure-FTPD configured to use that ports.
With CSF enabled, when we try to connect to a remote FTP and it tries to list directories, this is the result:
# ftp transfer.xxxxxxx.com
Connected to transfer.xxxxxxx.com (XX.XXXX.XXXX.XXX).
220 Welcome to FTP Server
Name (transfer.xxxxxxx.com:root): user
331 User name okay, need password for user.
Password:
230 User logged in, proceed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (XX,XXX,XXX,XXX,192,4)
ftp: connect: Connection refused
ftp> quit
221 Goodbye.
#
On dmesg, this is the result
server kernel: Firewall: *TCP_IN Blocked* IN=eno1 OUT= MAC=XXXXX SRC=(FTP_DESTINATION_IP) DST=(THIS_SERVER) LEN=52 TOS=0x02 PREC=0x00 TTL=110 ID=31020 DF PROTO=TCP SPT=20 DPT=60229 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
If we disable the Firewall, the connection is done with success.
In TCP_OUT we are not adding the Passive Ports. The same on other CloudLinux 7 and works fine.
So, TCP_OUT without Passive Ports for FTP in CL7 or CL6 works perfectly for ftp connections but on CL8 fails. We tested this behaviour in 4 x CL8 servers and 6 x CL7 servers.
This is know or any suggestion that not result in adding the Passive Ports in TCP_OUT ?
Kind Regards,