Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to setup FTPS with Proftpd. I've created the certificates, and all is working well - except for firewall issues.
Now, for whatever reason, Proftpd uses the same ports (20 and 21) for FTPS as it does FTP. I can log in with FTP fine with iptables on (active ftp, not passive). But, when I try FTPS, it doesn't work. I checked the firewall logs, and it's blocking packets that are allowed by the same rules as regular FTP.
I found this in a Proftpd FAQ, but I'm not sure whether it applies to iptables or not:
Quote:
Question: Using mod_tls, FTP sessions through my firewall now no longer work. What's going on?
Answer: The short answer is that FTPS and firewalls (and devices performing NAT) do not interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established. In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know which on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using the PassivePorts directive), FTPS should function without issue.
Since Iptables is a stateful firewall, I set it up to allow all packets in that are "Related" or "Established", and the same for outgoing packets. I guess since it's encrypted, Iptables can't tell. So, I added an explicit rule in the outgoing chain to allow packets with a source port of 20 (ftp-data) and a destination port of 1024-65535, and that seemed to work fine.
I'm curious, though, as to why I don't have to do the same for HTTPS (SSL) connections?
The eth0 part will depend on your setup. might be different
This worked for me, I was able to establish a connection with server and do a list.. I was also able to download files.. although I am still getting the Server sent passive reply with unroutable address. Using server address instead. error but it all seems to work? If anyone has any more information on this, please share!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.