最近公司的客戶,用ftp連線時,一直被主機的防火牆誤判為攻擊。這個問題是這樣子產生的:公司的防火牆是用csf firewall這個套件,而這個套件如果沒有特別設定的話,對於ftp,很容易誤擋。
根據csf的文件,linux的iptables如果ip_conntrack和ip_conntrack_ftp沒有正常的運作時,FTP的被動模式就無法順利地運作。在這種條件下,我們必須設定ftp的被動通訊埠在防火牆上是被視為可連接的。
以pure-ftp為例子:
(1) 必須修改/etc/pure-ftpd.conf,取消
PassivePortRange 30000 35000
這一行的註解 (注意:此處的port range要和之後步驟,設定CSF的port range相符合)
(2) 重新啟動pure-ftp
(3) 修改csf的config檔 /etc/csf/csf.conf
在 TCP_IN中,加上30000:35000,例如:
# Allow incoming TCP ports
TCP_IN = “20,21,22,25,53,80,110,143,443,465,587,993,995,2077,2078,2082,2083,2086,2087,2095,2096,1891,30000:35000″
(4) 重新啟動csf
這樣子設定之後,防火牆才能和ftp完美的合作。
參考資料:http://www.configserver.com/free/csf/readme.txt
延伸閱讀:如何查看linux server連線port是否異常?
13. A note about FTP Connection Issues ###################################### It is important when using an SPI firewall to ensure FTP client applications are configured to use Passive (PASV) mode connections to the server. On servers running Monolithic kernels (e.g. VPS Virtuozzo/OpenVZ and custom built kernels) ip_conntrack and ip_conntrack_ftp iptables kernel modules may not be available or fully functional. If this happens, FTP passive mode (PASV) won't work. In such circumstances you will have to open a hole in your firewall and configure the FTP server to use that same hole. For example, with pure-ftpd you could add the port range 30000:35000 to TCP_IN and add the following line to /etc/pure-ftpd.conf and then restart pure-ftpd: PassivePortRange 30000 35000 For example, with proftpd you could add the port range 30000:35000 to TCP_IN and add the following line to /etc/proftpd.conf and then restart proftpd: PassivePorts 30000 35000 FTP over SSL/TLS will usually fail when using an SPI firewall. This is because of the way the FTP protocol established a connection between client and server. iptables fails to establish a related connection when using FTP over SSL because the FTP control connection is encrypted and so cannot track the relationship between the connection and the allocation of an ephemeral port. If you need to use FTP over SSL, you will have to open up a passive port block in both csf and your FTP server configuration (see above). Perversely, this makes your firewall less secure, while trying to make FTP connections more secure.