Re: FTP over TLS za DMZ... rece opadaja ...

To: debian-user-polish <debian-user-polish@lists.debian.org>
Subject: Re: FTP over TLS za DMZ... rece opadaja ...
From: Marcin <lfe_no_spam@ghnet.pl>
Date: Thu, 3 Jun 2004 02:55:23 +0200
Message-id: <[🔎] 973288422.20040603025523@ghnet.pl>
In-reply-to: <[🔎] 1005339055.20040602131524@poczta.fm>
References: <[🔎] 1005339055.20040602131524@poczta.fm>

Witajcie,

> Rece mi juz opadaja, nie mam pomyslu ;( Prosze o pomoc jesli ktos ma
> jakis pomysl.

jak rozwiazac - ja rowniez nie mam, moze ktos wymysli cos ?

Zastanawiam sie nad PassivePorts - jak to sie spisuje. Ile tych portow
trzeba dac i czy to ma sens. [czyt dalej]

natomiast co jest przyczyna:

> jak skonfigurowac - i co jest przyczyna ...
> Problem firewalla ?

tak.
PL: polaczenie ktore bedzie nawiazane bedzie na innym porcie niz 21.
oczywiste. natomiast kanal jest juz szyfrowany i kernel nie jest w
stanie wyczaic jakie porty ma przekazac. Jesli by DMZta nie bylo,
bylby chyba spokoj.
Stare RFC pozwalaly na extra port 990 dla TLSa, ale w proftpd chyba
nie supportowane :( skzoda.

ANG: cyt:

Question: Using mod_tls, FTP sessions through my firewall now no longer work. What's going on?

Answer: The short answer is that FTPS and firewalls (and devices performing NAT) do not
interact well. The control connection happens on a well-known port, and has no issues;
it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS
session, the firewall can inspect the FTP server's responses on the control connection
to a client's PASV or PORT command, and thus know which on which ports/addresses the
data connection will be established. In an FTPS session, though, those control connection
messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware
firewall cannot peek. Hence, it cannot know which on which ports the data connection will
be established. For firewalls that are configured to always allow a certain range of ports
(such as might be configured using the PassivePorts directive), FTPS should function
without issue.

Unfortunately, this is a rather intractable--and known--issue. Earlier versions of the
Draft defining FTPS used to allow something known as "implicit" FTPS, by which a client
could contact a well-known port (akin to port 443 for HTTPS; FTPS used port 990) and the
server, simply because the client contacted that certain port, would automatically encrypt
the session. This approach has several drawbacks (the reason why it was removed from
later versions of the Draft), but it did allow for simple TCP proxying. There has
been no replacement.

[http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html]

--
Pozdrawiam,
Marcin.

Reply to:

References:
- FTP over TLS za DMZ... rece opadaja ...
  - From: mrc <marcinx0001@poczta.fm>

Prev by Date: Re: gaim i gg
Next by Date: Re: chroot
Previous by thread: FTP over TLS za DMZ... rece opadaja ...
Next by thread: ja już nie moge....Xauthority i te rzeczy....
Index(es):
- Date
- Thread