On Fri, 10 Oct 2003, Sean wrote:
> I have an FTP/SSL server behind a Bering firewall. Problem is this:
>
> Oct 9 20:02:57 firewall Shorewall:net2all:DROP: IN=eth0 OUT=
> MAC=00:03:47:08:40:1a:00:30:7b:fa:18:a8:08:00 SRC=204.60.67.237
> DST=12.243.231.253 LEN=44 TOS=00 PREC=0x00 TTL=112 ID=57030 DF PROTO=TCP
> SPT=22656 DPT=32960 SEQ=1959109775 ACK=0 WINDOW=8192 SYN URGP=0
> Oct 9 20:03:03 firewall Shorewall:net2all:DROP: IN=eth0 OUT=
> MAC=00:03:47:08:40:1a:00:30:7b:fa:18:a8:08:00 SRC=204.60.67.237
> DST=12.243.231.253 LEN=44 TOS=00 PREC=0x00 TTL=112 ID=57542 DF PROTO=TCP
> SPT=22656 DPT=32960 SEQ=1959109775 ACK=0 WINDOW=8192 SYN URGP=0
>
> The setup is this: 3 interface Bering. FTPD/SSL in a DMZ -
> 192.168.2.1. Port-forwarding port 21 to the DMZ. Connecting
> fails when it tries to connect the data channel.
>
> The connection works great from the private network to the DMZ.
>
> Ip_conntrack_ftp and ip_nat_ftp are loaded. A standard FTPD connection
> works just great.
I know almost nothing about FTPD/SSL, but I know about FTP, and I know
about SSL. I would have to say the chances of ip_conntrack_ftp or
ip_nat_ftp helping in any way with FTPD/SSL would be very close to zero,
since these modules depend on examination of the information exchanged
over the control connection, which is what SSL is all about preventing.
I think you will have to fall back on forwarding a specified range of
ports for data connections and configuring your FTPD/SSL server to
restrict itself to those ports. This is only effective for a relatively
small number of connections per minute.
SFTP (ftp over ssl) is a much more practical secure data transfer
mechanism, since it uses only a single connection for all data transfer.
Getting Windows users to use it may be a challenge at this time, though,
because it is not a widely accepted protocol.
---------------------------------------------------------------------------
Jeff Newmiller The ..... ..... Go Live...
DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#. Live Go...
Live: OO#.. Dead: OO#.. Playing
Research Engineer (Solar/Batteries O.O#. #.O#. with
/Software/Embedded Controllers) .OO#. .OO#. rocks...2k
---------------------------------------------------------------------------
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
