Re: tls ssl ftp connection over iptables
I hope by now you have fixed this. If not use TCP dump to see the SYN
packet ?that is getting droped? and look for the ACK meaning it didn't get
droped. Also see what rull in the iptables it is hitting too make sure
it's allowed.
--- Bastien Rocheron <bastien.rocheron@free.fr> wrote:
> oops I don't understand because even in passive mode it hangs (in TLS
> only, it works fine in clear mode)
>
> Bastien
>
>
> Thu, 25 Mar 2004 16:10:13 +0100
> "Volker Tanger" <volker.tanger@detewe.de> Message original :
>
> > Greetings!
> >
> > On Sun, 25 Apr 2004 14:17:45 +0200 Bastien Rocheron
> > <bastien.rocheron@free.fr> wrote:
> >
> > > I have an iptable packet filter which does his job well but when I
> > > decide to allow only tls connections over the ftp server people can
> > > connect on the server in active mode because I said to the packet
> > > filter to let everything come thru the ftp port but just after the
> > > connection is made it hangs and nothing more happens. I suppose it's
> > > because of the data port which is given randomly and this one is
> > > cyphered so the packet filter gets mad about it and drop the
> > > packets.
> >
> > The FTP-conntrack can't look into the control channel and thus cannot
> > detect which data port will be used - thus no data port is ever
> > opened.
> >
> > One workaround would be to allow all outgoing connections and use
> > PASSIVE FTP...
> >
> > Bye
> >
> > Volker Tanger
> > ITK Security
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
__________________________________
Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time.
http://taxes.yahoo.com/filing.html
Reply to: