Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments

    • Firewalld passing accepting as default ftp data transfer in passive mode?

    Posted on

    I would like to ask quick question with firewalld .

    My redhat version is below.

    [root@server2 ~]# cat /etc/redhat-release
    Red Hat Enterprise Linux Server release 7.3 (Maipo)

    Firewalld version is below.

    [root@server2 ~]# rpm -qa | grep firewalld
    firewalld-filesystem-0.4.3.2-8.el7.noarch
    firewalld-0.4.3.2-8.el7.noarch

    I am using a vsftpd in passive mode and configured the firewalld as below. All ftp packets are coming in from the eth0 interface.

    [root@server2 ~]# firewall-cmd --list-all --zone external
    external (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth0
    sources:
    services: ssh
    ports:
    protocols:
    masquerade: yes
    forward-ports:
    sourceports:
    icmp-blocks:
    rich rules:
    rule family="ipv4" source address="192.168.11.0/24" port port="21" protocol="tcp" log prefix="FTP Allow Rule" accept

    I also configured the passive data port as below in vsftpd.conf

    pasv_min_port=30000
    pasv_max_port=30001

    I expected that firewall should block the SYN packet to vsftpd from the client side but it just passed through .

    [root@server2 ~]# tcpdump -i eth0 -nn port 30000 or 30001
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
    08:21:11.810838 IP 192.168.11.2.56733 > 192.168.11.12.30001: Flags [S], seq 1386377724, win 29200, options [mss 1460,sackOK,TS val 4829798 ecr 0,nop,wscale 7], length 0
    08:21:11.810865 IP 192.168.11.12.30001 > 192.168.11.2.56733: Flags [S.], seq 3584388980, ack 1386377725, win 28960, options [mss 1460,sackOK,TS val 564521 ecr 4829798,nop,wscale 7], length 0
    08:21:11.811209 IP 192.168.11.2.56733 > 192.168.11.12.30001: Flags [.], ack 1, win 229, options [nop,nop,TS val 4829799 ecr 564521], length 0

    As a result , I was able to transfer the data from the server side to the client side.

    [ywatanabe@dellinspiron13z ~]$ lftp 192.168.11.12
    lftp 192.168.11.12:~> cd pub
    cd ok, cwd=/pub
    lftp 192.168.11.12:/pub> ls
    -rw-r--r-- 1 0 0 29 Jan 15 08:44 date.txt
    -rw-r--r-- 1 72 72 15568 Jan 15 09:28 ftp.pcap
    lftp 192.168.11.12:/pub> get date.txt
    29 bytes transferred
    lftp 192.168.11.12:/pub> quit

    Am I missing any configuration to block ftp data transfer?

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2026 Red Hat