[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]


On Thu, Feb 12, 2004 at 11:57:26AM +0200, Michael Wood wrote:
> On Wed, Feb 11, 2004 at 05:58:05PM +0100, Adam ENDRODI wrote:
> > I've got a site running proftpd that only serves files through
> > FTP-TLS.  The setup works correctly for most cases, with two
> > notable exceptions:
> > 
> >   -- a collegue of mine has complained that he cannot login
> >      if the Kerio net-sharing tool is active.  He claimed
> >      that no filtering rule was in effect.  OS: W2k
> No idea about this one, unless this net-sharing tool does some sort of
> NAT and he's behind the box that's doing the sharing.  Never heard of
> "Kerio net-sharing tool."

Kerio WinRoute is an all-in-one suite which is capable of
filtering, network address translating and can act as a proxy
for various protocols. (No ad intended) "net-sharing tool" is the
term the collague applied to it.

> I'm not sure why it aborts before the authentication, but even if that
> worked, I don't see how anything that requires an ftp-data connection
> could work through a NAT box.  I have never used FTP-TLS and have not
> read any RFCs related to it, but unless it works more like HTTP than
> FTP, it's not going to work through NAT.

It does.  One of my test boxen is a Windows 98 and is behind
two firewalls and three levels of NAT (actually, masquerading).
It works the same way as "Firewall-friendly" (i.e. passive) FTP,
though not under any circumstances it seems, to my despair :(

> For normal FTP, the NAT box watches the FTP command channel and when it
> notices the PORT command or a reply from the PASV command, it sets up a
> rule for the data connection.  When the command channel is encrypted it
> cannot do this.

The firewall does not need to watch the PASV commmand unless the
*server* is behind the NAT.  For the client, it is unnecessary
because there is nothing in the PASV line to translate.

> It might be possible to install an FTP proxy on the NAT box and get the
> clients to connect to that, but they would have to find one that
> supports TLS.

Yes, there is a program called tlsweap which can do that exactly
(we've needed previously as we hadn't find any graphical FTP
client for linux which is capable of doing FTP-TLS :-F).
Perhaps we get them to install it on their NAT box.

Thanks for sharing your thoughs.


Am I a cleric?     | 1024D/37B8D989
Or maybe a sinner? | 954B 998A E5F5 BA2A 3622
Unbeliever?        | 82DD 54C2 843D 37B8 D989
Renegade?          | http://sks.dnsalias.net

Reply to: