On 08/25/18 05:20, ToddAndMargo wrote:
Here are my "passive rules"
I don't claim to know how any of this actually works. Yet I do recall the way
connection tracking is handled has changed. Can't find the bugzilla's that
gave some insight into the changes. I do run firewalld and I can tell you that if I
do an "iptables -L" there is nothing that seems related to ftp.
But....
The IP address of ftp.yzu.edu.tw is 140.138.144.170. So.....
[egreshko@meimei ~]$ sudo conntrack -L | grep 144
conntrack v1.4.4 (conntrack-tools): 10 flow entries have been shown.
and after doing an ftp session with this host
egreshko@meimei ~]$ sudo conntrack -L | grep 144
conntrack v1.4.4 (conntrack-tools): 20 flow entries have been shown.
tcp 6 115 TIME_WAIT src=192.168.1.18 dst=140.138.144.170 sport=49923 dport=14874
src=140.138.144.170 dst=192.168.1.18 sport=14874 dport=49923 [ASSURED] mark=0
secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp 6 99 TIME_WAIT src=192.168.1.18 dst=140.138.144.170 sport=33475 dport=22211
src=140.138.144.170 dst=192.168.1.18 sport=22211 dport=33475 [ASSURED] mark=0
secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp 6 431995 ESTABLISHED src=192.168.1.18 dst=140.138.144.170 sport=45576
dport=21 src=140.138.144.170 dst=192.168.1.18 sport=21 dport=45576 [ASSURED] mark=0
secctx=system_u:object_r:unlabeled_t:s0 use=1
Passive FTP works fine. Active does not.
--
Conjecture is just a conclusion based on incomplete information. It isn't a fact.