On Wed, Feb 11, 2004 at 05:58:05PM +0100, Adam ENDRODI wrote: > I've got a site running proftpd that only serves files through > FTP-TLS. The setup works correctly for most cases, with two > notable exceptions: > > -- a collegue of mine has complained that he cannot login > if the Kerio net-sharing tool is active. He claimed > that no filtering rule was in effect. OS: W2k
No idea about this one, unless this net-sharing tool does some sort of NAT and he's behind the box that's doing the sharing. Never heard of "Kerio net-sharing tool." > -- one of our customers has difficulties too: his network > is behind a microwave-modem gateway. Each box in the > internal network has an IP address from the 192.168.x.x/16 > range, so I suppose the modem must perform some kind > of network address translating or transparent proxying. > OS: W98 [snip] > When they tried to connect, the process aborted just before the > program would ask for the user name and the password, but after the TLS > negotiation. On the server side, I see only a "QUIT" command > from the clients, nothing else. [snip] I'm not sure why it aborts before the authentication, but even if that worked, I don't see how anything that requires an ftp-data connection could work through a NAT box. I have never used FTP-TLS and have not read any RFCs related to it, but unless it works more like HTTP than FTP, it's not going to work through NAT. For normal FTP, the NAT box watches the FTP command channel and when it notices the PORT command or a reply from the PASV command, it sets up a rule for the data connection. When the command channel is encrypted it cannot do this. It might be possible to install an FTP proxy on the NAT box and get the clients to connect to that, but they would have to find one that supports TLS. Hope this helps. -- Michael Wood <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]