I guess it's a matter of interpreting their (security folks) intent. (Which admittedly I don't know)...
Yes, I understand the technical part of your explanation... but the overall effect is that FTPS is blocked while FTP is not.... if their intent is to block file transfers, or selectively permit file transfers, then something is misconfigured. Either the firewall should also deny FTP, or it should allow FTPS. (Deny both or permit both, or I suppose it makes sense to deby FTP but allow FTPS) It seems odd to me that we may "FTP to anywhere[1]", but "FTPS is effectively blocked". I need to fill out paper work to get FTPS working, yet I don't have to do anything to use FTP. Yes, that's obviously an internal issue. [1] I haven't tested to see where the bounds of "anywhere" are... in my case, all these transfers are internal. On Wed, Jan 6, 2010 at 11:02, Peter Vander Woude <pwo...@harristeeter.com>wrote: > Don, > > It's not so much as blocking ftps and allowing normal ftp. The normal > ftp's > go thru such that the firewall can do it's stateful checking and not cause > a > problem. With FTPS, the datastream is encrypted by the time it hits the > firewall, and does not conform to what the firewall thinks about > "stateful", > thus it drops the connection. For our firewall, that means that if the > command > string coming across, does not end with an end of line character (I don't > recall > which one), it considers it a bad record, and terminates the session. > > Peter > > On Wed, 6 Jan 2010 08:04:36 -0800, Donald Russell > <russell....@gmail.com> wrote: > > >On Wed, Jan 6, 2010 at 06:15, Peter Vander Woude > <pwo...@harristeeter.com>wrote: > > > >> Don, > >> > >> If your firewall folks just recently upgraded the firewall, it could > be > >> that the > >> upgrade "defaulted", or reset some configuration settings. For FTPS, > the > >> firewall cannot do what's referred to as "stateful checking". I know > ours > >> does > >> that, and if it does that on the control connection (and/or data > >> connection), > >> you will see the error you've been getting. > >> > >> > >That appears to be what happened.... I'll know for sure next week when the > >firewall people make the change to allow FTPS. > > > >For me, the red herring was that regular FTP works fine, which, to me, > begs > >the question: What's the point of blocking FTPS without blocking FTP? > > > >Thanks for all the discussion and feedback... > > > >---------------------------------------------------------------------- > >For IBM-MAIN subscribe / signoff / archive access instructions, > >send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > >Search the archives at http://bama.ua.edu/archives/ibm-main.html > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO > Search the archives at http://bama.ua.edu/archives/ibm-main.html > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
