Firewalld passing accepting as default ftp data transfer in passive mode?

Posted on

I would like to ask quick question with firewalld .

My redhat version is below.

[root@server2 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.3 (Maipo)

Firewalld version is below.

[root@server2 ~]# rpm -qa | grep firewalld
firewalld-filesystem-0.4.3.2-8.el7.noarch
firewalld-0.4.3.2-8.el7.noarch

I am using a vsftpd in passive mode and configured the firewalld as below. All ftp packets are coming in from the eth0 interface.

[root@server2 ~]# firewall-cmd --list-all --zone external
external (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.11.0/24" port port="21" protocol="tcp" log prefix="FTP Allow Rule" accept

I also configured the passive data port as below in vsftpd.conf

pasv_min_port=30000
pasv_max_port=30001

I expected that firewall should block the SYN packet to vsftpd from the client side but it just passed through .

[root@server2 ~]# tcpdump -i eth0 -nn port 30000 or 30001
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:21:11.810838 IP 192.168.11.2.56733 > 192.168.11.12.30001: Flags [S], seq 1386377724, win 29200, options [mss 1460,sackOK,TS val 4829798 ecr 0,nop,wscale 7], length 0
08:21:11.810865 IP 192.168.11.12.30001 > 192.168.11.2.56733: Flags [S.], seq 3584388980, ack 1386377725, win 28960, options [mss 1460,sackOK,TS val 564521 ecr 4829798,nop,wscale 7], length 0
08:21:11.811209 IP 192.168.11.2.56733 > 192.168.11.12.30001: Flags [.], ack 1, win 229, options [nop,nop,TS val 4829799 ecr 564521], length 0

As a result , I was able to transfer the data from the server side to the client side.

[ywatanabe@dellinspiron13z ~]$ lftp 192.168.11.12
lftp 192.168.11.12:~> cd pub
cd ok, cwd=/pub
lftp 192.168.11.12:/pub> ls
-rw-r--r-- 1 0 0 29 Jan 15 08:44 date.txt
-rw-r--r-- 1 72 72 15568 Jan 15 09:28 ftp.pcap
lftp 192.168.11.12:/pub> get date.txt
29 bytes transferred
lftp 192.168.11.12:/pub> quit

Am I missing any configuration to block ftp data transfer?

YW

Responses