Re: FTP-TLS

[Michael Wood <mwood@its.uct.ac.za>]

On Wed, Feb 11, 2004 at 05:58:05PM +0100, Adam ENDRODI wrote:
> I've got a site running proftpd that only serves files through
> FTP-TLS.  The setup works correctly for most cases, with two
> notable exceptions:
> 
>   -- a collegue of mine has complained that he cannot login
>      if the Kerio net-sharing tool is active.  He claimed
>      that no filtering rule was in effect.  OS: W2k

No idea about this one, unless this net-sharing tool does some sort of
NAT and he's behind the box that's doing the sharing.  Never heard of
"Kerio net-sharing tool."

>   -- one of our customers has difficulties too: his network
>      is behind a microwave-modem gateway.  Each box in the
>      internal network has an IP address from the 192.168.x.x/16
>      range, so I suppose the modem must perform some kind
>      of network address translating or transparent proxying.
>      OS: W98
[snip]
> When they tried to connect, the process aborted just before the
> program would ask for the user name and the password, but after the TLS
> negotiation.  On the server side, I see only a "QUIT" command
> from the clients, nothing else.
[snip]

I'm not sure why it aborts before the authentication, but even if that
worked, I don't see how anything that requires an ftp-data connection
could work through a NAT box.  I have never used FTP-TLS and have not
read any RFCs related to it, but unless it works more like HTTP than
FTP, it's not going to work through NAT.

For normal FTP, the NAT box watches the FTP command channel and when it
notices the PORT command or a reply from the PASV command, it sets up a
rule for the data connection.  When the command channel is encrypted it
cannot do this.

It might be possible to install an FTP proxy on the NAT box and get the
clients to connect to that, but they would have to find one that
supports TLS.

Hope this helps.

-- 
Michael Wood <mwood@its.uct.ac.za>