Hi, I am wondering what the proper shorewall work around is for SSL FTP. I am currently working on a firewall that has an FTP server running on it and the data needs to be encrypted. I am unable to use SFTP or SCP at this point so SSL FTP is my only option. Is there a work around that shorewall can do to allow for SSL FTP that is still semi-secure? I am running vsftp for the FTP server and Shorewall 3.0.4. Thanks for any hints ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642
lists@pure-wireless.net wrote:> Hi, > > I am wondering what the proper shorewall work around is for SSL FTP. I am > currently working on a firewall that has an FTP server running on it and > the data needs to be encrypted. I am unable to use SFTP or SCP at this > point so SSL FTP is my only option. Is there a work around that shorewall > can do to allow for SSL FTP that is still semi-secure? > > I am running vsftp for the FTP server and Shorewall 3.0.4. >it will not work. traffic is encripted, the netfilter modules cannot decrypt the traffic. this is not a shorewall problem, not an netfilter bug, this is how the things work.
On Wednesday 08 March 2006 12:27, lists@pure-wireless.net wrote:> Hi, > > I am wondering what the proper shorewall work around is for SSL FTP. I am > currently working on a firewall that has an FTP server running on it and > the data needs to be encrypted. I am unable to use SFTP or SCP at this > point so SSL FTP is my only option. Is there a work around that shorewall > can do to allow for SSL FTP that is still semi-secure? > > I am running vsftp for the FTP server and Shorewall 3.0.4. >You can configure your ftp server to use a particular range of passive ports then open input to those ports. Or you can use active mode and unconditionally allow connections from your server to the world if the TCP source port is 20. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wednesday 08 March 2006 12:54, Cristian Rodriguez wrote:> lists@pure-wireless.net wrote: > > Hi, > > > > I am wondering what the proper shorewall work around is for SSL FTP. I am > > currently working on a firewall that has an FTP server running on it and > > the data needs to be encrypted. I am unable to use SFTP or SCP at this > > point so SSL FTP is my only option. Is there a work around that shorewall > > can do to allow for SSL FTP that is still semi-secure? > > > > I am running vsftp for the FTP server and Shorewall 3.0.4. > > it will not work. > > traffic is encripted, the netfilter modules cannot decrypt the traffic. > > this is not a shorewall problem, not an netfilter bug, this is how the > things work.What Cristian is saying is that normal Netfilter FTP connection tracking cannot be used with FTPS. You have to resort to the workarounds that I mentioned in my previous post. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
On Wed, 2006-03-08 at 13:28 -0800, Tom Eastep wrote:> On Wednesday 08 March 2006 12:54, Cristian Rodriguez wrote: > > lists@pure-wireless.net wrote: > > > Hi, > > > > > > I am wondering what the proper shorewall work around is for SSL FTP. I am > > > currently working on a firewall that has an FTP server running on it and > > > the data needs to be encrypted. I am unable to use SFTP or SCP at this > > > point so SSL FTP is my only option. Is there a work around that shorewall > > > can do to allow for SSL FTP that is still semi-secure? > > > > > > I am running vsftp for the FTP server and Shorewall 3.0.4. > > > > it will not work. > > > > traffic is encripted, the netfilter modules cannot decrypt the traffic. > > > > this is not a shorewall problem, not an netfilter bug, this is how the > > things work. > > What Cristian is saying is that normal Netfilter FTP connection tracking > cannot be used with FTPS. You have to resort to the workarounds that I > mentioned in my previous post. > > -TomThanks Tom listing passive ports worked for me. I did realize that it would not work as is. Thanks again for the help. -- Andrew ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642