secure ftp with SSL

secure ftp with SSL

[Rendy V]

[-- Attachment #1: Type: text/plain, Size: 2068 bytes --]

Hi All,
I have a strange problem, the problem is like this : 
I have an application that use secure ftp and for that reason I have opened
up the command port (990) with state NEW and allowed data port (20000:20049)
with state ESTABLISHED, RELATED on the firewall. It fails when it try to use
data port, for authentication it working just fine. Please see the log on
the below. 
If I open data port 2000:20049 with state NEW it working normally but I
don't want to make a big hole on my firewall. I suspect that the iptables
connection tracking cannot track the relation between command port and data
port because it is encrypted using SSL. Is it true or is there something I
miss here?? What should I do now?? 

Thank u 

Rendy

STATUS:>  	Getting listing ""...
STATUS:>  	Connecting to ftp server xx.xx.xx.xx:990 (ip =
xx.xx.xx.xx)...
STATUS:>  	Socket connected. Waiting for welcome message...
STATUS:>  	Enter Serial Number
STATUS:>  	Connected. Exchanging encryption keys...
STATUS:>  	SSL encrypted session established.
		220 Serv-U FTP Server v3.0 for WinSock ready...
STATUS:>  	Connected. Authenticating...
COMMAND:>	USER ftpadmin
		331 User name okay, need password.
COMMAND:>	PASS *****
		230 User logged in, proceed.
STATUS:>  	Login successful.
COMMAND:>	PWD
		257 "/" is current directory.
STATUS:>  	Home directory: /
COMMAND:>	FEAT
		500 'FEAT': command not understood.
STATUS:>  	This site doesn't support the 'features' command.
COMMAND:>	REST 100
		350 Restarting at 100 - send STORE or RETRIEVE to initiate
transfer.
STATUS:>  	This site can resume broken downloads.
COMMAND:>	TYPE A
		200 Type set to A.
COMMAND:>	REST 0
		350 Restarting at 0 - send STORE or RETRIEVE to initiate
transfer.
COMMAND:>	PBSZ 0
		500 'PBSZ': command not understood.
COMMAND:>	PROT P
		500 'PROT': command not understood.
COMMAND:>	PASV
		227 Entering Passive Mode (xx,xx,xx,xx,xx,xx)
COMMAND:>	LIST
STATUS:>  	Connecting ftp data socket xx.xx.xx.xx:20028...
ERROR:>   	Can't connect to remote server. Socket error = #10060.
ERROR:>   	Failed to establish data socket.


[-- Attachment #2: Type: text/html, Size: 6108 bytes --]

Re: secure ftp with SSL

[Roy Sigurd Karlsbakk]

On Friday 13 September 2002 05:09, Rendy V wrote:
> Hi All,
> I have a strange problem, the problem is like this :
> I have an application that use secure ftp and for that reason I have opened
> up the command port (990) with state NEW and allowed data port
> (20000:20049) with state ESTABLISHED, RELATED on the firewall. It fails
> when it try to use data port, for authentication it working just fine.
> Please see the log on the below.
> If I open data port 2000:20049 with state NEW it working normally but I
> don't want to make a big hole on my firewall. I suspect that the iptables
> connection tracking cannot track the relation between command port and data
> port because it is encrypted using SSL. Is it true or is there something I
> miss here?? What should I do now??

first - have you loaded ip_conntrack_ftp? 

second - I'm not sure the ip_conntrack_ftp module can understand encrypted 
traffic. Try using sftp from openssh instead. That only uses 22/tcp.

roy

-- 
Roy Sigurd Karlsbakk, Datavaktmester
ProntoTV AS - http://www.pronto.tv/
Tel: +47 9801 3356

Computers are like air conditioners.
They stop working when you open Windows.

Re: secure ftp with SSL

[Alistair Tonner]

On 2002.09.13 04:43 Roy Sigurd Karlsbakk wrote:
> On Friday 13 September 2002 05:09, Rendy V wrote:
> > Hi All,
> > I have a strange problem, the problem is like this :
> > I have an application that use secure ftp and for that reason I have
> opened
> > up the command port (990) with state NEW and allowed data port
> > (20000:20049) with state ESTABLISHED, RELATED on the firewall. It
> fails
> > when it try to use data port, for authentication it working just
> fine.
> > Please see the log on the below.
> > If I open data port 2000:20049 with state NEW it working normally
> but I
> > don't want to make a big hole on my firewall. I suspect that the
> iptables
> > connection tracking cannot track the relation between command port
> and data
> > port because it is encrypted using SSL. Is it true or is there
> something I
> > miss here?? What should I do now??
> 
> first - have you loaded ip_conntrack_ftp?
> 
> second - I'm not sure the ip_conntrack_ftp module can understand
> encrypted
> traffic. Try using sftp from openssh instead. That only uses 22/tcp.
> 
> roy
> 
> 
	Furthermore, you would have to load the ip_conntrack_ftp and 
(possibly_
	ip_nat_ftp modules with ports=      parameter set to cover the 
control
	port on which you were connecting I believe.....


	Alistair

Re: secure ftp with SSL

[Thomas Lussnig]

Rendy V wrote:

> Hi All,
> I have a strange problem, the problem is like this :
> I have an application that use secure ftp and for that reason I have 
> opened up the command port (990) with state NEW and allowed data port 
> (20000:20049) with state ESTABLISHED, RELATED on the firewall. It 
> fails when it try to use data port, for authentication it working just 
> fine. Please see the log on the below.
>
> If I open data port 2000:20049 with state NEW it working normally but 
> I don't want to make a big hole on my firewall. I suspect that the 
> iptables connection tracking cannot track the relation between command 
> port and data port because it is encrypted using SSL. Is it true or is 
> there something I miss here?? What should I do now??
>
The problem you have is that on SSL crypted connection the RELATED could 
not work right. Because for FTP there is an extra module that analyse the
control traffic and can so evalute what ports are related. But this is 
not posible then the traffic is unreadable for the module.

Cu Thomas

RE: secure ftp with SSL

[Rendy V]

[-- Attachment #1: Type: text/plain, Size: 1124 bytes --]

roy,
yes, i have loaded ip_conntrack_ftp.
Is there any better idea because if i change it i have to change all my
application..

regards,
rendy


On Friday 13 September 2002 05:09, Rendy V wrote:
> Hi All,
> I have a strange problem, the problem is like this :
> I have an application that use secure ftp and for that reason I have
opened
> up the command port (990) with state NEW and allowed data port
> (20000:20049) with state ESTABLISHED, RELATED on the firewall. It fails
> when it try to use data port, for authentication it working just fine.
> Please see the log on the below.
> If I open data port 2000:20049 with state NEW it working normally but I
> don't want to make a big hole on my firewall. I suspect that the iptables
> connection tracking cannot track the relation between command port and
data
> port because it is encrypted using SSL. Is it true or is there something I
> miss here?? What should I do now??

first - have you loaded ip_conntrack_ftp? 

second - I'm not sure the ip_conntrack_ftp module can understand encrypted 
traffic. Try using sftp from openssh instead. That only uses 22/tcp.

roy


[-- Attachment #2: Type: text/html, Size: 1996 bytes --]

Re: secure ftp with SSL

[Roy Sigurd Karlsbakk]

Use sftp - see http://www.openssl.org/

On Monday 16 September 2002 06:21, Rendy V wrote:
> roy,
> yes, i have loaded ip_conntrack_ftp.
> Is there any better idea because if i change it i have to change all my
> application..
>
> regards,
> rendy
>
> On Friday 13 September 2002 05:09, Rendy V wrote:
> > Hi All,
> > I have a strange problem, the problem is like this :
> > I have an application that use secure ftp and for that reason I have
>
> opened
>
> > up the command port (990) with state NEW and allowed data port
> > (20000:20049) with state ESTABLISHED, RELATED on the firewall. It fails
> > when it try to use data port, for authentication it working just fine.
> > Please see the log on the below.
> > If I open data port 2000:20049 with state NEW it working normally but I
> > don't want to make a big hole on my firewall. I suspect that the iptables
> > connection tracking cannot track the relation between command port and
>
> data
>
> > port because it is encrypted using SSL. Is it true or is there something
> > I miss here?? What should I do now??
>
> first - have you loaded ip_conntrack_ftp?
>
> second - I'm not sure the ip_conntrack_ftp module can understand encrypted
> traffic. Try using sftp from openssh instead. That only uses 22/tcp.
>
> roy

-- 
Roy Sigurd Karlsbakk, Datavaktmester
ProntoTV AS - http://www.pronto.tv/
Tel: +47 9801 3356

Computers are like air conditioners.
They stop working when you open Windows.

Re: secure ftp with SSL

[Alistair Tonner]

	Did you load thusly:

	modprobe -dv ip_conntrack_ftp ports=21,900
	modprobe -dv ip_nat_ftp ports=21,900

	... As I read what you are saying here the secure ftp is done on
	port 900 + (random non-priviledged UDP ports)
	-- would this be FastCopy???
	-- You will need to pass the port number for the control 
connection to the
	conntrack module *for sure* and the NAT module to get it 
working from a
	box *other* than the firewall ...
	 
	FYI -- if it is FastCopy -- I've resources I can ask questions 
of for you
	if need be who are *very* familiar with getting FastCopy 
through a firewall
	*chuckles*...

	Alistair

On 2002.09.16 00:21 Rendy V wrote:
> roy,
> yes, i have loaded ip_conntrack_ftp.
> Is there any better idea because if i change it i have to change all
> my
> application..
> 
> regards,
> rendy
> 
> 
> On Friday 13 September 2002 05:09, Rendy V wrote:
> > Hi All,
> > I have a strange problem, the problem is like this :
> > I have an application that use secure ftp and for that reason I have
> opened
> > up the command port (990) with state NEW and allowed data port
> > (20000:20049) with state ESTABLISHED, RELATED on the firewall. It
> fails
> > when it try to use data port, for authentication it working just
> fine.
> > Please see the log on the below.
> > If I open data port 2000:20049 with state NEW it working normally
> but I
> > don't want to make a big hole on my firewall. I suspect that the
> iptables
> > connection tracking cannot track the relation between command port
> and
> data
> > port because it is encrypted using SSL. Is it true or is there
> something I
> > miss here?? What should I do now??
> 
> first - have you loaded ip_conntrack_ftp?
> 
> second - I'm not sure the ip_conntrack_ftp module can understand
> encrypted
> traffic. Try using sftp from openssh instead. That only uses 22/tcp.
> 
> roy
> 
>