We’ve been using Shorewall for about 3 years now. We basically lock down
everything and then only open up what is absolutely necessary.
Recently, a client has asked us to support the client side of FTPS. Our
service can automatically move data to remote end points using a number
of secure protocols. We’re a little concerned to implement an FTPS
client because of what is reported as the “firewall problem:”
Because FTP is a port-hopping protocol (i.e. data channels use a random
port chosen during the communication), many firewalls have the ability
to understand the FTP protocol and allow the secondary data connections.
However if the control connection is encrypted using TLS/SSL (or any
other method for that matter) the firewall is not able to get the port
numbers of the data connections from the control connection (since it is
encrypted and the firewall cannot decrypt it). Therefore in many
firewalled networks clear FTP connections will work while FTPS
connections will either completely fail or require the use of passive
mode (assuming all ports >= 1024 to the server are unfiltered).
Has anyone on the list had experience with Shorewall and FTPS? If so,
how would you recommend configuring Shorewall to accommodate FTPS?
Thanks in advance.
Rob
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
