We’ve been using Shorewall for about 3 years now. We basically lock down everything and then only open up what is absolutely necessary. Recently, a client has asked us to support the client side of FTPS. Our service can automatically move data to remote end points using a number of secure protocols. We’re a little concerned to implement an FTPS client because of what is reported as the “firewall problem:” Because FTP is a port-hopping protocol (i.e. data channels use a random port chosen during the communication), many firewalls have the ability to understand the FTP protocol and allow the secondary data connections. However if the control connection is encrypted using TLS/SSL (or any other method for that matter) the firewall is not able to get the port numbers of the data connections from the control connection (since it is encrypted and the firewall cannot decrypt it). Therefore in many firewalled networks clear FTP connections will work while FTPS connections will either completely fail or require the use of passive mode (assuming all ports >= 1024 to the server are unfiltered). Has anyone on the list had experience with Shorewall and FTPS? If so, how would you recommend configuring Shorewall to accommodate FTPS? Thanks in advance. Rob ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
On Thu, Sep 11, 2008 at 15:26, Rob Hicks <rob.hicks@contractpal.com> wrote:> Recently, a client has asked us to support the client side of FTPS.Are you being asked to support SFTP or FTPS? See [1] for a discussion of the different protocols. If you can, suggest SFTP instead of FTPS; it only needs one connection (over port 22) and no extra DATA channel like FTPS needs. Will [1]: http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Will, Thanks. We are specifically being asked to support FTPS. We already support SFTP. Rob -----Original Message----- From: Will Murnane [mailto:will.murnane@gmail.com] Sent: Thursday, September 11, 2008 1:43 PM To: Shorewall Users Subject: Re: [Shorewall-users] Shorewall & FTPS On Thu, Sep 11, 2008 at 15:26, Rob Hicks <rob.hicks@contractpal.com> wrote:> Recently, a client has asked us to support the client side of FTPS.Are you being asked to support SFTP or FTPS? See [1] for a discussion of the different protocols. If you can, suggest SFTP instead of FTPS; it only needs one connection (over port 22) and no extra DATA channel like FTPS needs. Will [1]: http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329 ------------------------------------------------------------------------ - This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Rob Hicks wrote:> Will, > > Thanks. > > We are specifically being asked to support FTPS. We already support > SFTP.So long as passive mode is used, you should be okay, provided that you don''t restrict local access to remote high ports. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/