On Thu, Feb 12, 2004 at 11:57:26AM +0200, Michael Wood wrote:
> On Wed, Feb 11, 2004 at 05:58:05PM +0100, Adam ENDRODI wrote:
> > I've got a site running proftpd that only serves files through
> > FTP-TLS. The setup works correctly for most cases, with two
> > notable exceptions:
> > -- a collegue of mine has complained that he cannot login
> > if the Kerio net-sharing tool is active. He claimed
> > that no filtering rule was in effect. OS: W2k
> No idea about this one, unless this net-sharing tool does some sort of
> NAT and he's behind the box that's doing the sharing. Never heard of
> "Kerio net-sharing tool."
Kerio WinRoute is an all-in-one suite which is capable of
filtering, network address translating and can act as a proxy
for various protocols. (No ad intended) "net-sharing tool" is the
term the collague applied to it.
> I'm not sure why it aborts before the authentication, but even if that
> worked, I don't see how anything that requires an ftp-data connection
> could work through a NAT box. I have never used FTP-TLS and have not
> read any RFCs related to it, but unless it works more like HTTP than
> FTP, it's not going to work through NAT.
It does. One of my test boxen is a Windows 98 and is behind
two firewalls and three levels of NAT (actually, masquerading).
It works the same way as "Firewall-friendly" (i.e. passive) FTP,
though not under any circumstances it seems, to my despair :(
> For normal FTP, the NAT box watches the FTP command channel and when it
> notices the PORT command or a reply from the PASV command, it sets up a
> rule for the data connection. When the command channel is encrypted it
> cannot do this.
The firewall does not need to watch the PASV commmand unless the
*server* is behind the NAT. For the client, it is unnecessary
because there is nothing in the PASV line to translate.
> It might be possible to install an FTP proxy on the NAT box and get the
> clients to connect to that, but they would have to find one that
> supports TLS.
Yes, there is a program called tlsweap which can do that exactly
(we've needed previously as we hadn't find any graphical FTP
client for linux which is capable of doing FTP-TLS :-F).
Perhaps we get them to install it on their NAT box.
Thanks for sharing your thoughs.
Am I a cleric? | 1024D/37B8D989
Or maybe a sinner? | 954B 998A E5F5 BA2A 3622
Unbeliever? | 82DD 54C2 843D 37B8 D989
Renegade? | http://sks.dnsalias.net
- From: Adam ENDRODI <email@example.com>
- Re: FTP-TLS
- From: Michael Wood <firstname.lastname@example.org>