secure ftp with SSL

From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rendy V Subject: secure ftp with SSL Date: Fri, 13 Sep 2002 10:09:59 +0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: <754E53EEA7D3D31194E50050DAB99F6E70543C@thor.id.magnus.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C25AD3.10A902CA" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: "'netfilter@lists.samba.org'" This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C25AD3.10A902CA Content-Type: text/plain; charset="iso-8859-1" Hi All, I have a strange problem, the problem is like this : I have an application that use secure ftp and for that reason I have opened up the command port (990) with state NEW and allowed data port (20000:20049) with state ESTABLISHED, RELATED on the firewall. It fails when it try to use data port, for authentication it working just fine. Please see the log on the below. If I open data port 2000:20049 with state NEW it working normally but I don't want to make a big hole on my firewall. I suspect that the iptables connection tracking cannot track the relation between command port and data port because it is encrypted using SSL. Is it true or is there something I miss here?? What should I do now?? Thank u Rendy STATUS:> Getting listing ""... STATUS:> Connecting to ftp server xx.xx.xx.xx:990 (ip = xx.xx.xx.xx)... STATUS:> Socket connected. Waiting for welcome message... STATUS:> Enter Serial Number STATUS:> Connected. Exchanging encryption keys... STATUS:> SSL encrypted session established. 220 Serv-U FTP Server v3.0 for WinSock ready... STATUS:> Connected. Authenticating... COMMAND:> USER ftpadmin 331 User name okay, need password. COMMAND:> PASS ***** 230 User logged in, proceed. STATUS:> Login successful. COMMAND:> PWD 257 "/" is current directory. STATUS:> Home directory: / COMMAND:> FEAT 500 'FEAT': command not understood. STATUS:> This site doesn't support the 'features' command. COMMAND:> REST 100 350 Restarting at 100 - send STORE or RETRIEVE to initiate transfer. STATUS:> This site can resume broken downloads. COMMAND:> TYPE A 200 Type set to A. COMMAND:> REST 0 350 Restarting at 0 - send STORE or RETRIEVE to initiate transfer. COMMAND:> PBSZ 0 500 'PBSZ': command not understood. COMMAND:> PROT P 500 'PROT': command not understood. COMMAND:> PASV 227 Entering Passive Mode (xx,xx,xx,xx,xx,xx) COMMAND:> LIST STATUS:> Connecting ftp data socket xx.xx.xx.xx:20028... ERROR:> Can't connect to remote server. Socket error = #10060. ERROR:> Failed to establish data socket. ------_=_NextPart_001_01C25AD3.10A902CA Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable secure ftp with SSL

Hi All,
I have a strange problem, the problem = is like this :
I have an application that use secure = ftp and for that reason I have opened up the command port (990) with = state NEW and allowed data port (20000:20049) with state ESTABLISHED, = RELATED on the firewall. It fails when it try to use data port, for = authentication it working just fine. Please see the log on the below. =

If I open data port 2000:20049 with = state NEW it working normally but I don't want to make a big hole on my = firewall. I suspect that the iptables connection tracking cannot track = the relation between command port and data port because it is encrypted = using SSL. Is it true or is there something I miss here?? What should I = do now??

Thank u

Rendy

STATUS:> =       Getting listing ""...
STATUS:> =       Connecting to ftp server xx.xx.xx.xx:990 = (ip =3D xx.xx.xx.xx)...
STATUS:> =       Socket connected. Waiting for welcome = message...
STATUS:> =       Enter Serial Number
STATUS:> =       Connected. Exchanging encryption = keys...
STATUS:> =       SSL encrypted session = established.
        =         220 Serv-U FTP Server v3.0 for WinSock = ready...
STATUS:> =       Connected. Authenticating...
COMMAND:>       USER = ftpadmin
        =         331 User name okay, need password.
COMMAND:>       PASS *****
        =         230 User logged in, proceed.
STATUS:> =       Login successful.
COMMAND:>       PWD
        =         257 "/" is current directory.
STATUS:> =       Home directory: /
COMMAND:>       FEAT
        =         500 'FEAT': command not understood.
STATUS:> =       This site doesn't support the 'features' = command.
COMMAND:>       REST 100
        =         350 Restarting at 100 - send STORE or RETRIEVE to = initiate transfer.
STATUS:> =       This site can resume broken = downloads.
COMMAND:>       TYPE A
        =         200 Type set to A.
COMMAND:>       REST 0
        =         350 Restarting at 0 - send STORE or RETRIEVE to = initiate transfer.
COMMAND:>       PBSZ 0
        =         500 'PBSZ': command not understood.
COMMAND:>       PROT P
        =         500 'PROT': command not understood.
COMMAND:>       PASV
        =         227 Entering Passive Mode = (xx,xx,xx,xx,xx,xx)
COMMAND:>       LIST
STATUS:> =       Connecting ftp data socket = xx.xx.xx.xx:20028...
ERROR:>   =       Can't connect to remote server. Socket = error =3D #10060.
ERROR:>   =       Failed to establish data socket.

------_=_NextPart_001_01C25AD3.10A902CA-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Roy Sigurd Karlsbakk Subject: Re: secure ftp with SSL Date: Fri, 13 Sep 2002 10:43:52 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200209131043.52555.roy@karlsbakk.net> References: <754E53EEA7D3D31194E50050DAB99F6E70543C@thor.id.magnus.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <754E53EEA7D3D31194E50050DAB99F6E70543C@thor.id.magnus.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Rendy V , "'netfilter@lists.samba.org'" On Friday 13 September 2002 05:09, Rendy V wrote: > Hi All, > I have a strange problem, the problem is like this : > I have an application that use secure ftp and for that reason I have op= ened > up the command port (990) with state NEW and allowed data port > (20000:20049) with state ESTABLISHED, RELATED on the firewall. It fails > when it try to use data port, for authentication it working just fine. > Please see the log on the below. > If I open data port 2000:20049 with state NEW it working normally but I > don't want to make a big hole on my firewall. I suspect that the iptabl= es > connection tracking cannot track the relation between command port and = data > port because it is encrypted using SSL. Is it true or is there somethin= g I > miss here?? What should I do now?? first - have you loaded ip_conntrack_ftp?=20 second - I'm not sure the ip_conntrack_ftp module can understand encrypte= d=20 traffic. Try using sftp from openssh instead. That only uses 22/tcp. roy --=20 Roy Sigurd Karlsbakk, Datavaktmester ProntoTV AS - http://www.pronto.tv/ Tel: +47 9801 3356 Computers are like air conditioners. They stop working when you open Windows. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alistair Tonner Subject: Re: secure ftp with SSL Date: Fri, 13 Sep 2002 06:09:22 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <20020913100922.GA23101@Ajftl1.ajfthome.on.ca> References: <754E53EEA7D3D31194E50050DAB99F6E70543C@thor.id.magnus.com> <200209131043.52555.roy@karlsbakk.net> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: Content-Disposition: inline In-Reply-To: <200209131043.52555.roy@karlsbakk.net>; from roy@karlsbakk.net on Fri, Sep 13, 2002 at 04:43:52 -0400 Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; format="flowed"; charset="us-ascii" To: Roy Sigurd Karlsbakk Cc: Rendy V , "'netfilter@lists.samba.org'" On 2002.09.13 04:43 Roy Sigurd Karlsbakk wrote: > On Friday 13 September 2002 05:09, Rendy V wrote: > > Hi All, > > I have a strange problem, the problem is like this : > > I have an application that use secure ftp and for that reason I have > opened > > up the command port (990) with state NEW and allowed data port > > (20000:20049) with state ESTABLISHED, RELATED on the firewall. It > fails > > when it try to use data port, for authentication it working just > fine. > > Please see the log on the below. > > If I open data port 2000:20049 with state NEW it working normally > but I > > don't want to make a big hole on my firewall. I suspect that the > iptables > > connection tracking cannot track the relation between command port > and data > > port because it is encrypted using SSL. Is it true or is there > something I > > miss here?? What should I do now?? > > first - have you loaded ip_conntrack_ftp? > > second - I'm not sure the ip_conntrack_ftp module can understand > encrypted > traffic. Try using sftp from openssh instead. That only uses 22/tcp. > > roy > > Furthermore, you would have to load the ip_conntrack_ftp and (possibly_ ip_nat_ftp modules with ports= parameter set to cover the control port on which you were connecting I believe..... Alistair From mboxrd@z Thu Jan 1 00:00:00 1970 From: Thomas Lussnig Subject: Re: secure ftp with SSL Date: Fri, 13 Sep 2002 12:20:54 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <3D81BC06.80107@smcc.net> References: <754E53EEA7D3D31194E50050DAB99F6E70543C@thor.id.magnus.com> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii"; format="flowed" To: Rendy V Cc: "'netfilter@lists.samba.org'" Rendy V wrote: > Hi All, > I have a strange problem, the problem is like this : > I have an application that use secure ftp and for that reason I have > opened up the command port (990) with state NEW and allowed data port > (20000:20049) with state ESTABLISHED, RELATED on the firewall. It > fails when it try to use data port, for authentication it working just > fine. Please see the log on the below. > > If I open data port 2000:20049 with state NEW it working normally but > I don't want to make a big hole on my firewall. I suspect that the > iptables connection tracking cannot track the relation between command > port and data port because it is encrypted using SSL. Is it true or is > there something I miss here?? What should I do now?? > The problem you have is that on SSL crypted connection the RELATED could not work right. Because for FTP there is an extra module that analyse the control traffic and can so evalute what ports are related. But this is not posible then the traffic is unreadable for the module. Cu Thomas From mboxrd@z Thu Jan 1 00:00:00 1970 From: Roy Sigurd Karlsbakk Subject: Re: secure ftp with SSL Date: Mon, 16 Sep 2002 10:32:37 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200209161032.37482.roy@karlsbakk.net> References: <754E53EEA7D3D31194E50050DAB99F6E705442@thor.id.magnus.com> Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <754E53EEA7D3D31194E50050DAB99F6E705442@thor.id.magnus.com> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: Rendy V , "'netfilter@lists.samba.org'" Use sftp - see http://www.openssl.org/ On Monday 16 September 2002 06:21, Rendy V wrote: > roy, > yes, i have loaded ip_conntrack_ftp. > Is there any better idea because if i change it i have to change all my > application.. > > regards, > rendy > > On Friday 13 September 2002 05:09, Rendy V wrote: > > Hi All, > > I have a strange problem, the problem is like this : > > I have an application that use secure ftp and for that reason I have > > opened > > > up the command port (990) with state NEW and allowed data port > > (20000:20049) with state ESTABLISHED, RELATED on the firewall. It fai= ls > > when it try to use data port, for authentication it working just fine= =2E > > Please see the log on the below. > > If I open data port 2000:20049 with state NEW it working normally but= I > > don't want to make a big hole on my firewall. I suspect that the ipta= bles > > connection tracking cannot track the relation between command port an= d > > data > > > port because it is encrypted using SSL. Is it true or is there someth= ing > > I miss here?? What should I do now?? > > first - have you loaded ip_conntrack_ftp? > > second - I'm not sure the ip_conntrack_ftp module can understand encryp= ted > traffic. Try using sftp from openssh instead. That only uses 22/tcp. > > roy --=20 Roy Sigurd Karlsbakk, Datavaktmester ProntoTV AS - http://www.pronto.tv/ Tel: +47 9801 3356 Computers are like air conditioners. They stop working when you open Windows. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rendy V Subject: RE: secure ftp with SSL Date: Mon, 16 Sep 2002 11:21:18 +0700 Sender: netfilter-admin@lists.netfilter.org Message-ID: <754E53EEA7D3D31194E50050DAB99F6E705442@thor.id.magnus.com> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C25D38.855DF7F8" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: "'netfilter@lists.samba.org'" Cc: 'Roy Sigurd Karlsbakk' This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C25D38.855DF7F8 Content-Type: text/plain; charset="iso-8859-1" roy, yes, i have loaded ip_conntrack_ftp. Is there any better idea because if i change it i have to change all my application.. regards, rendy On Friday 13 September 2002 05:09, Rendy V wrote: > Hi All, > I have a strange problem, the problem is like this : > I have an application that use secure ftp and for that reason I have opened > up the command port (990) with state NEW and allowed data port > (20000:20049) with state ESTABLISHED, RELATED on the firewall. It fails > when it try to use data port, for authentication it working just fine. > Please see the log on the below. > If I open data port 2000:20049 with state NEW it working normally but I > don't want to make a big hole on my firewall. I suspect that the iptables > connection tracking cannot track the relation between command port and data > port because it is encrypted using SSL. Is it true or is there something I > miss here?? What should I do now?? first - have you loaded ip_conntrack_ftp? second - I'm not sure the ip_conntrack_ftp module can understand encrypted traffic. Try using sftp from openssh instead. That only uses 22/tcp. roy ------_=_NextPart_001_01C25D38.855DF7F8 Content-Type: text/html; charset="iso-8859-1" RE: secure ftp with SSL

roy,
yes, i have loaded ip_conntrack_ftp.
Is there any better idea because if i change it i have to change all my application..

regards,
rendy

On Friday 13 September 2002 05:09, Rendy V wrote:
> Hi All,
> I have a strange problem, the problem is like this :
> I have an application that use secure ftp and for that reason I have opened
> up the command port (990) with state NEW and allowed data port
> (20000:20049) with state ESTABLISHED, RELATED on the firewall. It fails
> when it try to use data port, for authentication it working just fine.
> Please see the log on the below.
> If I open data port 2000:20049 with state NEW it working normally but I
> don't want to make a big hole on my firewall. I suspect that the iptables
> connection tracking cannot track the relation between command port and data
> port because it is encrypted using SSL. Is it true or is there something I
> miss here?? What should I do now??

first - have you loaded ip_conntrack_ftp?

second - I'm not sure the ip_conntrack_ftp module can understand encrypted
traffic. Try using sftp from openssh instead. That only uses 22/tcp.

roy

------_=_NextPart_001_01C25D38.855DF7F8-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alistair Tonner Subject: Re: secure ftp with SSL Date: Tue, 17 Sep 2002 12:44:51 -0400 Sender: netfilter-admin@lists.netfilter.org Message-ID: <20020917164451.GE9482@Ajftl1.ajfthome.on.ca> References: <754E53EEA7D3D31194E50050DAB99F6E705442@thor.id.magnus.com> Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: Content-Disposition: inline In-Reply-To: <754E53EEA7D3D31194E50050DAB99F6E705442@thor.id.magnus.com>; from RendyV@atd.magnus.co.id on Mon, Sep 16, 2002 at 00:21:18 -0400 Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; format="flowed"; charset="us-ascii" To: Rendy V Cc: "'netfilter@lists.samba.org'" , 'Roy Sigurd Karlsbakk' Did you load thusly: modprobe -dv ip_conntrack_ftp ports=21,900 modprobe -dv ip_nat_ftp ports=21,900 ... As I read what you are saying here the secure ftp is done on port 900 + (random non-priviledged UDP ports) -- would this be FastCopy??? -- You will need to pass the port number for the control connection to the conntrack module *for sure* and the NAT module to get it working from a box *other* than the firewall ... FYI -- if it is FastCopy -- I've resources I can ask questions of for you if need be who are *very* familiar with getting FastCopy through a firewall *chuckles*... Alistair On 2002.09.16 00:21 Rendy V wrote: > roy, > yes, i have loaded ip_conntrack_ftp. > Is there any better idea because if i change it i have to change all > my > application.. > > regards, > rendy > > > On Friday 13 September 2002 05:09, Rendy V wrote: > > Hi All, > > I have a strange problem, the problem is like this : > > I have an application that use secure ftp and for that reason I have > opened > > up the command port (990) with state NEW and allowed data port > > (20000:20049) with state ESTABLISHED, RELATED on the firewall. It > fails > > when it try to use data port, for authentication it working just > fine. > > Please see the log on the below. > > If I open data port 2000:20049 with state NEW it working normally > but I > > don't want to make a big hole on my firewall. I suspect that the > iptables > > connection tracking cannot track the relation between command port > and > data > > port because it is encrypted using SSL. Is it true or is there > something I > > miss here?? What should I do now?? > > first - have you loaded ip_conntrack_ftp? > > second - I'm not sure the ip_conntrack_ftp module can understand > encrypted > traffic. Try using sftp from openssh instead. That only uses 22/tcp. > > roy > >