Re: tls ssl ftp connection over iptables

To: debian-firewall@lists.debian.org
Subject: Re: tls ssl ftp connection over iptables
From: Bastien Rocheron <bastien.rocheron@free.fr>
Date: Tue, 30 Mar 2004 15:45:23 +0200
Message-id: <[🔎] 20040330154523.04057b64.bastien.rocheron@free.fr>
References: <[🔎] 20040425164449.029dfad2.bastien.rocheron@free.fr> <[🔎] 20040327024750.94007.qmail@web11901.mail.yahoo.com>

Hello

it's not fixed yet, I don't understand what is going on but I going to
run some tests and certainly ask more questions on this thread about the
tests results.

Thank you,

Bastien


Sat, 27 Mar 2004 03:50:10 +0100
Mike Mestnik <cheako911@yahoo.com> Message original :

> I hope by now you have fixed this.  If not use TCP dump to see the SYN
> packet ?that is getting droped? and look for the ACK meaning it didn't
> get droped.  Also see what rull in the iptables it is hitting too make
> sure it's allowed.
> 
> --- Bastien Rocheron <bastien.rocheron@free.fr> wrote:
> > oops I don't understand because even in passive mode it hangs (in
> > TLS only, it works fine in clear mode)
> > 
> > Bastien
> > 
> > 
> > Thu, 25 Mar 2004 16:10:13 +0100
> > "Volker Tanger" <volker.tanger@detewe.de> Message original :
> > 
> > > Greetings!
> > > 
> > > On Sun, 25 Apr 2004 14:17:45 +0200 Bastien Rocheron
> > > <bastien.rocheron@free.fr> wrote:
> > > 
> > > > I have an iptable packet filter which does his job well but when
> > > > I decide to allow only tls connections over the ftp server
> > > > people can connect on the server in active mode because I said
> > > > to the packet filter to let everything come thru the ftp port
> > > > but just after the connection is made it hangs and nothing more
> > > > happens. I suppose it's because of the data port which is given
> > > > randomly and this one is cyphered so the packet filter gets mad
> > > > about it and drop the packets.
> > > 
> > > The FTP-conntrack can't look into the control channel and thus
> > > cannot detect which data port will be used - thus no data port is
> > > ever opened.
> > > 
> > > One workaround would be to allow all outgoing connections and use
> > > PASSIVE FTP...
> > > 
> > > Bye
> > > 
> > > Volker Tanger
> > > ITK Security
> > > 
> > > 
> > > -- 
> > > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> > > with a subject of "unsubscribe". Trouble? Contact
> > > listmaster@lists.debian.org
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> > 
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Finance Tax Center - File online. File on time.
> http://taxes.yahoo.com/filing.html
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org

Reply to:

References:
- Re: tls ssl ftp connection over iptables
  - From: Bastien Rocheron <bastien.rocheron@free.fr>
- Re: tls ssl ftp connection over iptables
  - From: Mike Mestnik <cheako911@yahoo.com>

Prev by Date: RE: unsubscribe
Next by Date: VPN/Firewall Kernel
Previous by thread: Re: tls ssl ftp connection over iptables
Next by thread: Re: go entire wknd! mail
Index(es):
- Date
- Thread