All of lore.kernel.org
 help / color / mirror / Atom feed
* ftps and iptables
@ 2005-08-18 18:53 Vects
  0 siblings, 0 replies; 3+ messages in thread
From: Vects @ 2005-08-18 18:53 UTC (permalink / raw)
  To: netfilter

Hi,
I have web server protected by iptables at office, lately I wanted to
activate ftps on it but failed to get a list by client. It's working
well when iptables are down. I played with iptables rules, open full
access from web server but it didn't help. I couldn't find anything
special what prevents it to operate. Does somebody already solved such a
problem? 

Thanks, Alexc.




^ permalink raw reply	[flat|nested] 3+ messages in thread
* RE: ftps and iptables
@ 2005-08-18 19:04 Derick Anderson
  2005-08-18 19:52 ` Taylor, Grant
  0 siblings, 1 reply; 3+ messages in thread
From: Derick Anderson @ 2005-08-18 19:04 UTC (permalink / raw)
  To: netfilter

By default FTPS (FTP over SSL, not to be confused with FTP/SSH or SFTP)
runs on port 990. It also sounds like you're using passive mode - if so
you may need to open those ports as well. It would make sense to me
(although I don't know) that conntrack_ftp could only track unsecured
FTP sessions since the only indication of a port change is in the packet
data (which would be encrypted). Someone may know better than I, though.

Derick Anderson

> -----Original Message-----
> From: netfilter-bounces@lists.netfilter.org 
> [mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Vects
> Sent: Thursday, August 18, 2005 2:53 PM
> To: netfilter@lists.netfilter.org
> Subject: ftps and iptables
> 
> Hi,
> I have web server protected by iptables at office, lately I 
> wanted to activate ftps on it but failed to get a list by 
> client. It's working well when iptables are down. I played 
> with iptables rules, open full access from web server but it 
> didn't help. I couldn't find anything special what prevents 
> it to operate. Does somebody already solved such a problem? 
> 
> Thanks, Alexc.
> 
> 
> 
> 


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: ftps and iptables
  2005-08-18 19:04 ftps and iptables Derick Anderson
@ 2005-08-18 19:52 ` Taylor, Grant
  0 siblings, 0 replies; 3+ messages in thread
From: Taylor, Grant @ 2005-08-18 19:52 UTC (permalink / raw)
  To: netfilter

Try looking in to a reverse proxy (Squid) that support SSL.  This way your clients would FTPS to the proxy box which would in turn connect to the FTPS server behind the firewall.



Grant. . . .

Derick Anderson wrote:
> By default FTPS (FTP over SSL, not to be confused with FTP/SSH or SFTP)
> runs on port 990. It also sounds like you're using passive mode - if so
> you may need to open those ports as well. It would make sense to me
> (although I don't know) that conntrack_ftp could only track unsecured
> FTP sessions since the only indication of a port change is in the packet
> data (which would be encrypted). Someone may know better than I, though.


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-08-18 19:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-18 19:04 ftps and iptables Derick Anderson
2005-08-18 19:52 ` Taylor, Grant
  -- strict thread matches above, loose matches on Subject: below --
2005-08-18 18:53 Vects

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.