Ubuntu FTP and SFTP client firewall rules for UFW
0
How to set firewall rules on a client machine that needs to access FTP and SFTP servers?
The default policy on client's machine is to deny all connections (incoming and outgoing)
there are (UFW) rules that allow:
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # SSH, SFTP
990 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
that work well on client machine for the connection to FTP/FTPS, and authenticating there but when the ftp client requests directory tree listing an error occurs:
Error: Failed to retrieve directory listing
Connection log:
Status: Resolving address of xxx.xxx.xxx.xxx
Status: Connecting to 1xx.1xx.2xx.1xx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (1xx,1xx,2xx,1xx,1xx,2xx)
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
If the firewall is turned off there is no error so the problem is related to the firewall configuration.
What needs to be added as rule (preferably as UFW rule) in order to have firewall active with default disallow rule but allowing FTP and SFTP connections?
firewall ftp ufw sftp client
asked Feb 25 at 15:17
JimmixJimmix
101
|
show 1 more comment
0
How to set firewall rules on a client machine that needs to access FTP and SFTP servers?
The default policy on client's machine is to deny all connections (incoming and outgoing)
there are (UFW) rules that allow:
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # SSH, SFTP
990 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
that work well on client machine for the connection to FTP/FTPS, and authenticating there but when the ftp client requests directory tree listing an error occurs:
Error: Failed to retrieve directory listing
Connection log:
Status: Resolving address of xxx.xxx.xxx.xxx
Status: Connecting to 1xx.1xx.2xx.1xx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (1xx,1xx,2xx,1xx,1xx,2xx)
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
If the firewall is turned off there is no error so the problem is related to the firewall configuration.
What needs to be added as rule (preferably as UFW rule) in order to have firewall active with default disallow rule but allowing FTP and SFTP connections?
firewall ftp ufw sftp client
asked Feb 25 at 15:17
JimmixJimmix
101
have the client use 'active' mode instead of 'passive' mode. Passive mode needs you to unlock a TON of high number ports in both directions because it uses high-numbered ephemeral ports among other things (you basically have to permit 1024-65535 and that can be problematic if you're operating in a restricted environment)
– Thomas Ward♦
Feb 25 at 15:23
@ThomasWard tried with active but didn't work. Got the log: Response: 500 I won't open a connection to: 10.xx.xxx.xxx
– Jimmix
Feb 25 at 15:28
@ThomasWard 'high-numbered ephemeral ports' I think there was a kind of securing this with a stateful firewall configuration or sort of IP tables config that somehow treated a particular ephemeral port as a part of (S)FTP connection and only for the time of the (S)FTP session allowed that ephemeral port to be used to connecti In/Out to particular IP. But don't know how to configure either of the solutions.
– Jimmix
Feb 25 at 15:35
Right but you still need to allow the traffic outbound to create the connection- stateful just means it'll keep the connection but you still need to connect before you get a state to track.
– Thomas Ward♦
Feb 25 at 15:40
@ThomasWard can you limit access to ephemeral ports to only one process - (S)FTP client?
– Jimmix
Feb 25 at 16:19
|
show 1 more comment
0
0
0
How to set firewall rules on a client machine that needs to access FTP and SFTP servers?
The default policy on client's machine is to deny all connections (incoming and outgoing)
there are (UFW) rules that allow:
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # SSH, SFTP
990 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
that work well on client machine for the connection to FTP/FTPS, and authenticating there but when the ftp client requests directory tree listing an error occurs:
Error: Failed to retrieve directory listing
Connection log:
Status: Resolving address of xxx.xxx.xxx.xxx
Status: Connecting to 1xx.1xx.2xx.1xx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (1xx,1xx,2xx,1xx,1xx,2xx)
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
If the firewall is turned off there is no error so the problem is related to the firewall configuration.
What needs to be added as rule (preferably as UFW rule) in order to have firewall active with default disallow rule but allowing FTP and SFTP connections?
firewall ftp ufw sftp client
asked Feb 25 at 15:17
JimmixJimmix
101
How to set firewall rules on a client machine that needs to access FTP and SFTP servers?
The default policy on client's machine is to deny all connections (incoming and outgoing)
there are (UFW) rules that allow:
20/tcp ALLOW OUT Anywhere # FTP Data
21/tcp ALLOW OUT Anywhere # FTP Command
22 ALLOW OUT Anywhere # SSH, SFTP
990 ALLOW OUT Anywhere # FTPS
989 ALLOW OUT Anywhere # FTPS
that work well on client machine for the connection to FTP/FTPS, and authenticating there but when the ftp client requests directory tree listing an error occurs:
Error: Failed to retrieve directory listing
Connection log:
Status: Resolving address of xxx.xxx.xxx.xxx
Status: Connecting to 1xx.1xx.2xx.1xx:21...
Status: Connection established, waiting for welcome message...
Status: Initializing TLS...
Status: Verifying certificate...
Status: TLS connection established.
Status: Logged in
Status: Retrieving directory listing...
Command: PWD
Response: 257 "/" is your current location
Command: TYPE I
Response: 200 TYPE is now 8-bit binary
Command: PASV
Response: 227 Entering Passive Mode (1xx,1xx,2xx,1xx,1xx,2xx)
Command: MLSD
Error: Connection timed out after 20 seconds of inactivity
Error: Failed to retrieve directory listing
If the firewall is turned off there is no error so the problem is related to the firewall configuration.
What needs to be added as rule (preferably as UFW rule) in order to have firewall active with default disallow rule but allowing FTP and SFTP connections?
firewall ftp ufw sftp client
firewall ftp ufw sftp client
asked Feb 25 at 15:17
JimmixJimmix
101
asked Feb 25 at 15:17
JimmixJimmix
101
asked Feb 25 at 15:17
JimmixJimmix
101
asked Feb 25 at 15:17
JimmixJimmix
101
asked Feb 25 at 15:17
JimmixJimmix
101
101
have the client use 'active' mode instead of 'passive' mode. Passive mode needs you to unlock a TON of high number ports in both directions because it uses high-numbered ephemeral ports among other things (you basically have to permit 1024-65535 and that can be problematic if you're operating in a restricted environment)
– Thomas Ward♦
Feb 25 at 15:23
@ThomasWard tried with active but didn't work. Got the log: Response: 500 I won't open a connection to: 10.xx.xxx.xxx
– Jimmix
Feb 25 at 15:28
@ThomasWard 'high-numbered ephemeral ports' I think there was a kind of securing this with a stateful firewall configuration or sort of IP tables config that somehow treated a particular ephemeral port as a part of (S)FTP connection and only for the time of the (S)FTP session allowed that ephemeral port to be used to connecti In/Out to particular IP. But don't know how to configure either of the solutions.
– Jimmix
Feb 25 at 15:35
Right but you still need to allow the traffic outbound to create the connection- stateful just means it'll keep the connection but you still need to connect before you get a state to track.
– Thomas Ward♦
Feb 25 at 15:40
@ThomasWard can you limit access to ephemeral ports to only one process - (S)FTP client?
– Jimmix
Feb 25 at 16:19
|
show 1 more comment
have the client use 'active' mode instead of 'passive' mode. Passive mode needs you to unlock a TON of high number ports in both directions because it uses high-numbered ephemeral ports among other things (you basically have to permit 1024-65535 and that can be problematic if you're operating in a restricted environment)
– Thomas Ward♦
Feb 25 at 15:23
@ThomasWard tried with active but didn't work. Got the log: Response: 500 I won't open a connection to: 10.xx.xxx.xxx
– Jimmix
Feb 25 at 15:28
@ThomasWard 'high-numbered ephemeral ports' I think there was a kind of securing this with a stateful firewall configuration or sort of IP tables config that somehow treated a particular ephemeral port as a part of (S)FTP connection and only for the time of the (S)FTP session allowed that ephemeral port to be used to connecti In/Out to particular IP. But don't know how to configure either of the solutions.
– Jimmix
Feb 25 at 15:35
Right but you still need to allow the traffic outbound to create the connection- stateful just means it'll keep the connection but you still need to connect before you get a state to track.
– Thomas Ward♦
Feb 25 at 15:40
@ThomasWard can you limit access to ephemeral ports to only one process - (S)FTP client?
– Jimmix
Feb 25 at 16:19
have the client use 'active' mode instead of 'passive' mode. Passive mode needs you to unlock a TON of high number ports in both directions because it uses high-numbered ephemeral ports among other things (you basically have to permit 1024-65535 and that can be problematic if you're operating in a restricted environment)
– Thomas Ward♦
Feb 25 at 15:23
have the client use 'active' mode instead of 'passive' mode. Passive mode needs you to unlock a TON of high number ports in both directions because it uses high-numbered ephemeral ports among other things (you basically have to permit 1024-65535 and that can be problematic if you're operating in a restricted environment)
– Thomas Ward♦
Feb 25 at 15:23
@ThomasWard tried with active but didn't work. Got the log: Response: 500 I won't open a connection to: 10.xx.xxx.xxx
– Jimmix
Feb 25 at 15:28
@ThomasWard tried with active but didn't work. Got the log: Response: 500 I won't open a connection to: 10.xx.xxx.xxx
– Jimmix
Feb 25 at 15:28
@ThomasWard 'high-numbered ephemeral ports' I think there was a kind of securing this with a stateful firewall configuration or sort of IP tables config that somehow treated a particular ephemeral port as a part of (S)FTP connection and only for the time of the (S)FTP session allowed that ephemeral port to be used to connecti In/Out to particular IP. But don't know how to configure either of the solutions.
– Jimmix
Feb 25 at 15:35
@ThomasWard 'high-numbered ephemeral ports' I think there was a kind of securing this with a stateful firewall configuration or sort of IP tables config that somehow treated a particular ephemeral port as a part of (S)FTP connection and only for the time of the (S)FTP session allowed that ephemeral port to be used to connecti In/Out to particular IP. But don't know how to configure either of the solutions.
– Jimmix
Feb 25 at 15:35
Right but you still need to allow the traffic outbound to create the connection- stateful just means it'll keep the connection but you still need to connect before you get a state to track.
– Thomas Ward♦
Feb 25 at 15:40
Right but you still need to allow the traffic outbound to create the connection- stateful just means it'll keep the connection but you still need to connect before you get a state to track.
– Thomas Ward♦
Feb 25 at 15:40
@ThomasWard can you limit access to ephemeral ports to only one process - (S)FTP client?
– Jimmix
Feb 25 at 16:19
@ThomasWard can you limit access to ephemeral ports to only one process - (S)FTP client?
– Jimmix
Feb 25 at 16:19
|
show 1 more comment
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1121149%2fubuntu-ftp-and-sftp-client-firewall-rules-for-ufw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1121149%2fubuntu-ftp-and-sftp-client-firewall-rules-for-ufw%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
have the client use 'active' mode instead of 'passive' mode. Passive mode needs you to unlock a TON of high number ports in both directions because it uses high-numbered ephemeral ports among other things (you basically have to permit 1024-65535 and that can be problematic if you're operating in a restricted environment)
– Thomas Ward♦
Feb 25 at 15:23
@ThomasWard tried with active but didn't work. Got the log: Response: 500 I won't open a connection to: 10.xx.xxx.xxx
– Jimmix
Feb 25 at 15:28
@ThomasWard 'high-numbered ephemeral ports' I think there was a kind of securing this with a stateful firewall configuration or sort of IP tables config that somehow treated a particular ephemeral port as a part of (S)FTP connection and only for the time of the (S)FTP session allowed that ephemeral port to be used to connecti In/Out to particular IP. But don't know how to configure either of the solutions.
– Jimmix
Feb 25 at 15:35
Right but you still need to allow the traffic outbound to create the connection- stateful just means it'll keep the connection but you still need to connect before you get a state to track.
– Thomas Ward♦
Feb 25 at 15:40
@ThomasWard can you limit access to ephemeral ports to only one process - (S)FTP client?
– Jimmix
Feb 25 at 16:19