Re: FTP-TLS

To: debian-isp@lists.debian.org
Subject: Re: FTP-TLS
From: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>
Date: Fri, 13 Feb 2004 19:05:42 +0100
Message-id: <[🔎] 20040213180542.GA25705@ildicow.saturnus.vein.hu>
In-reply-to: <[🔎] 20040212095726.GF5099@marmite.its.uct.ac.za>
References: <[🔎] 20040211165804.GA5689@ildicow.saturnus.vein.hu> <[🔎] 20040212095726.GF5099@marmite.its.uct.ac.za>

On Thu, Feb 12, 2004 at 11:57:26AM +0200, Michael Wood wrote:
> On Wed, Feb 11, 2004 at 05:58:05PM +0100, Adam ENDRODI wrote:
> > I've got a site running proftpd that only serves files through
> > FTP-TLS.  The setup works correctly for most cases, with two
> > notable exceptions:
> > 
> >   -- a collegue of mine has complained that he cannot login
> >      if the Kerio net-sharing tool is active.  He claimed
> >      that no filtering rule was in effect.  OS: W2k
> 
> No idea about this one, unless this net-sharing tool does some sort of
> NAT and he's behind the box that's doing the sharing.  Never heard of
> "Kerio net-sharing tool."

Kerio WinRoute is an all-in-one suite which is capable of
filtering, network address translating and can act as a proxy
for various protocols. (No ad intended) "net-sharing tool" is the
term the collague applied to it.

> I'm not sure why it aborts before the authentication, but even if that
> worked, I don't see how anything that requires an ftp-data connection
> could work through a NAT box.  I have never used FTP-TLS and have not
> read any RFCs related to it, but unless it works more like HTTP than
> FTP, it's not going to work through NAT.

It does.  One of my test boxen is a Windows 98 and is behind
two firewalls and three levels of NAT (actually, masquerading).
It works the same way as "Firewall-friendly" (i.e. passive) FTP,
though not under any circumstances it seems, to my despair :(

> For normal FTP, the NAT box watches the FTP command channel and when it
> notices the PORT command or a reply from the PASV command, it sets up a
> rule for the data connection.  When the command channel is encrypted it
> cannot do this.

The firewall does not need to watch the PASV commmand unless the
*server* is behind the NAT.  For the client, it is unnecessary
because there is nothing in the PASV line to translate.

> It might be possible to install an FTP proxy on the NAT box and get the
> clients to connect to that, but they would have to find one that
> supports TLS.

Yes, there is a program called tlsweap which can do that exactly
(we've needed previously as we hadn't find any graphical FTP
client for linux which is capable of doing FTP-TLS :-F).
Perhaps we get them to install it on their NAT box.

Thanks for sharing your thoughs.

bit,
adam

-- 
Am I a cleric?     | 1024D/37B8D989
Or maybe a sinner? | 954B 998A E5F5 BA2A 3622
Unbeliever?        | 82DD 54C2 843D 37B8 D989
Renegade?          | http://sks.dnsalias.net

Reply to:

Follow-Ups:
- Re: FTP-TLS
  - From: Michael Wood <mwood@its.uct.ac.za>

References:
- FTP-TLS
  - From: Adam ENDRODI <borso@vekoll.saturnus.vein.hu>
- Re: FTP-TLS
  - From: Michael Wood <mwood@its.uct.ac.za>

Prev by Date: IE bug
Next by Date: Re: Imap && imap-ssl && pop3-ssl
Previous by thread: Re: FTP-TLS
Next by thread: Re: FTP-TLS
Index(es):
- Date
- Thread