Review your favorite Linux distribution.
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 05-12-2005, 11:26 PM   #1
Registered: Jan 2005
Posts: 37

Rep: Reputation: 15
Proftpd and SSL/TLS

I'm trying to setup FTPS with Proftpd. I've created the certificates, and all is working well - except for firewall issues.

Now, for whatever reason, Proftpd uses the same ports (20 and 21) for FTPS as it does FTP. I can log in with FTP fine with iptables on (active ftp, not passive). But, when I try FTPS, it doesn't work. I checked the firewall logs, and it's blocking packets that are allowed by the same rules as regular FTP.

I found this in a Proftpd FAQ, but I'm not sure whether it applies to iptables or not:

Question: Using mod_tls, FTP sessions through my firewall now no longer work. What's going on?

Answer: The short answer is that FTPS and firewalls (and devices performing NAT) do not interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established. In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know which on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using the PassivePorts directive), FTPS should function without issue.

Any ideas?

Old 05-14-2005, 10:36 AM   #2
Registered: Jan 2005
Posts: 37

Original Poster
Rep: Reputation: 15
Nevermind, I figured it out.

Since Iptables is a stateful firewall, I set it up to allow all packets in that are "Related" or "Established", and the same for outgoing packets. I guess since it's encrypted, Iptables can't tell. So, I added an explicit rule in the outgoing chain to allow packets with a source port of 20 (ftp-data) and a destination port of 1024-65535, and that seemed to work fine.

I'm curious, though, as to why I don't have to do the same for HTTPS (SSL) connections?
Old 09-26-2008, 05:15 AM   #3
LQ Newbie
Registered: Sep 2008
Posts: 1

Rep: Reputation: 0
Apologies for dragging up an old post but I have the same issue as stated above but cannot resolve it (using vsftpd instead of Proftp)

I have added the following rules in my iptables script but still can't get FTPS to work (FTP and SFTP working fine)

iptables -A INPUT -p tcp --dport 20 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 --sport 1024:65535 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1024:65535 --sport 20 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 1024:65535 --sport 21 -j ACCEPT

Any help would be appreciated.
Old 12-19-2008, 10:01 AM   #4
LQ Newbie
Registered: Jun 2008
Location: Peoria Illinois
Distribution: Gentoo
Posts: 9

Rep: Reputation: 0

Not sure if this still a problem for you..

What you need to do, is edit the proftpd config. Normally ( /etc/proftpd/proftpd.conf )

Adjust to passive ports to whatever you want them to be.

Then you need to forward those ports to your FTP server

iptables -t nat -A PREROUTING -p tcp --dport 65000:65100 -i eth0 -j DNAT --to IPOFFTPSERVER

The eth0 part will depend on your setup. might be different

This worked for me, I was able to establish a connection with server and do a list.. I was also able to download files.. although I am still getting the Server sent passive reply with unroutable address. Using server address instead. error but it all seems to work? If anyone has any more information on this, please share!



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Proftpd+SSL/TLS no folder listing g0ug0u Linux - Software 3 11-30-2007 11:30 AM
vsftpd ssl/tls jefffq Linux - Software 2 07-05-2005 06:38 PM
apache SSL/TLS overlord73 Linux - Security 3 05-12-2005 05:53 AM
FTP via SSL (TLS) embsupafly Linux - Security 2 03-02-2005 08:47 PM
SSL vs. TLS X11 Linux - Security 8 12-17-2002 03:39 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:56 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration