ISPConfig firewall problem closing Port 21

Discussion in 'Installation/Configuration' started by coen, Aug 29, 2007.

  1. coen

    coen New Member

    Hi,

    I'm running a webserver with Suse 10.2 configured with ispconfig.
    Also I'm using the ispconfig firewall, but can't configure that well for port 21.
    I do run proftpd but I run this on a different port, when I try to close port 21 in ispconfig it keeps open although proftpd is running on another port?
    The bastille-firewall.cfg shows under TCP_PUBLIC_SERVICES the non-default ftp port, other running services and ftp pasv mode ports.
    Port 21 isn't in there but I'm not able to get it closed, could anyone help me out?

    TCP_PUBLIC_SERVICES="4321 22 80 81 443 2000:2019" # MINIMAL/SAFEST
    UDP_PUBLIC_SERVICES="" # MINIMAL/SAFEST
    TCP_INTERNAL_SERVICES="" # MINIMAL/SAFEST
    UDP_INTERNAL_SERVICES=""
     
  2. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    How did you test if the port is open? Did you test it from a external server or workstation?
     
  3. coen

    coen New Member

    I tried two different port scanners running on a seperate PC (Laptop on UMTS connection).
    Other ports seem to respond to changes made in isp config firewall, only changes on port 21 doesn't seem to sort any effect.
    ProFTPD is running on different port, shutting down ProFTPD and closing the other ProFTPD port makes no difference.
    What else could keep this port to stay open?
     
  4. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Are you sure that there is no other firewall installed on your server? Please post the output of:

    iptables -L
     
  5. coen

    coen New Member

    As far as I know of none, I just followed the tutorial The Perfect Setup - OpenSuSE 10.2 (32-bit) and moved the ProFTPD port to a non-default port in its config file by changing these two lines in proftpd.conf
    Port 4321
    PassivePorts 2000 2019

    iptables -L output gives:
    --------------------------------------------------------
    Chain INPUT (policy DROP)
    target prot opt source destination
    DROP tcp -- anywhere loopback/8
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT 0 -- anywhere anywhere
    DROP 0 -- BASE-ADDRESS.MCAST.NET/4 anywhere
    PUB_IN 0 -- anywhere anywhere
    PUB_IN 0 -- anywhere anywhere
    PUB_IN 0 -- anywhere anywhere
    PUB_IN 0 -- anywhere anywhere
    DROP 0 -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere state RELATED,ESTABLISHED
    DROP 0 -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT 0 -- anywhere anywhere
    PUB_OUT 0 -- anywhere anywhere
    PUB_OUT 0 -- anywhere anywhere
    PUB_OUT 0 -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP 0 -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT 0 -- anywhere anywhere

    Chain PAROLE (6 references)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere

    Chain PUB_IN (4 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ctsd
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:http
    PAROLE tcp -- anywhere anywhere tcp dpt:hosts2-ns
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpts:cslistener:2019
    DROP icmp -- anywhere anywhere
    DROP 0 -- anywhere anywhere

    Chain PUB_OUT (4 references)
    target prot opt source destination
    ACCEPT 0 -- anywhere anywhere
     
  6. till

    till Super Moderator Howtoforge Staff HowtoForge Supporter ISPConfig Developer

    Port 21 is closed in the firewall according to the iptables output.
     
  7. coen

    coen New Member

    yeah, I agree ;-)
    But when I do a portscan it says the port is open?
    When I try to connect to port 21 using FTP it says connected (but doesn't seem to be able to find a service behind the port).
    The non-default FTP port connects fine...
    When I move the ProFTPD service back to port 21 and try to connect using a dos shell it gives me: connected to <ip>. (but it doesn't login).
    Although if I connect to a different port it doens't give me the: connected to <ip> message but instead: ftp connect: unknown error number.
    What could cause this difference in behaviour?
     
  8. falko

    falko Super Moderator Howtoforge Staff Moderator HowtoForge Supporter ISPConfig Developer

    Are there any Proftpd errors in your logs?
     
  9. coen

    coen New Member

    finally I found out it doesn't have anything to do with my ispconfig configuration, but my speedstream seems to respond with a P21 open, even if nothing is connected to it :confused:
     

Share This Page