Problem: VSFTPD using SSL through firewall
VSFTPD + SSL + firewall + me = doesn't work. I just installed Fedora Core 3 on a box in a DMZ. I can vsftp into that box from another pc in the DMZ just fine. When I try from outside I get the error - 530 non-anonymous sessions must use encryption. When I comment out all the SSL directives in vsftpd.conf, it works fine from anywhere. Here is my vsftpd.conf:
anonymous_enable=NO
local_enable=YES
write_enable=YES
download_enable=NO
local_umask=077
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
log_ftp_protocol=YES
dual_log_enable=YES
use_localtime=YES
idle_session_timeout=300
data_connection_timeout=120
ftpd_banner=Welcome
chroot_local_user=YES
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=YES
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=YES
rsa_cert_file=/usr/share/ssl/certs/vsftpd.pem
On the firewall, I have a NAT to the FTP server and I have opened ports 20 and 21 in all directions.
The FTP log shows this for the pc outside the DMZ:
Wed Mar 30 12:39:07 2005 [pid 4128] CONNECT: Client "10.30.10.20"
Wed Mar 30 19:39:07 2005 [pid 4128] FTP response: Client "10.30.10.20", "220 Welcome"
Wed Mar 30 19:39:07 2005 [pid 4128] FTP command: Client "10.30.10.20", "USER galileo"
Wed Mar 30 19:39:07 2005 [pid 4128] [galileo] FTP response: Client "10.30.10.20", "530 Non-anonymous sessions must use encryption."
and this for the pc inside the DMZ:
Wed Mar 30 11:27:13 2005 [pid 3756] CONNECT: Client "192.168.0.3"
Wed Mar 30 18:27:13 2005 [pid 3756] FTP response: Client "192.168.0.3", "220 Welcome"
Wed Mar 30 18:27:13 2005 [pid 3756] FTP command: Client "192.168.0.3", "AUTH TLS"
Wed Mar 30 18:27:13 2005 [pid 3756] FTP response: Client "192.168.0.3", "234 Proceed with negotiation."
Wed Mar 30 18:27:14 2005 [pid 3756] FTP command: Client "192.168.0.3", "USER galileo"
Wed Mar 30 18:27:14 2005 [pid 3756] [galileo] FTP response: Client "192.168.0.3", "331 Please specify the password."
Wed Mar 30 18:27:14 2005 [pid 3756] [galileo] FTP command: Client "192.168.0.3", "PASS <password>"
Wed Mar 30 11:27:14 2005 [pid 3755] [galileo] OK LOGIN: Client "192.168.0.3"
Wed Mar 30 11:27:14 2005 [pid 3757] [galileo] FTP response: Client "192.168.0.3", "230 Login successful."
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP command: Client "192.168.0.3", "PWD"
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP response: Client "192.168.0.3", "257 "/""
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP command: Client "192.168.0.3", "PBSZ 0"
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP response: Client "192.168.0.3", "200 PBSZ set to 0."
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP command: Client "192.168.0.3", "PRET LIST "
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP response: Client "192.168.0.3", "500 Unknown command."
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP command: Client "192.168.0.3", "PASV"
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP response: Client "192.168.0.3", "227 Entering Passive Mode (192,168,0,2,189,181)"
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP command: Client "192.168.0.3", "LIST"
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP response: Client "192.168.0.3", "150 Here comes the directory listing."
Wed Mar 30 18:27:14 2005 [pid 3757] [galileo] FTP response: Client "192.168.0.3", "226 Directory send OK."
Also, I have used gftp and lftp clients inside the DMZ, and I have used lftp and smartFTP outside.
Are there additional ports that I need to open, or anything else that I am missing? Any assistance will be greatly appreciated. Please format answers in newbie-speak, thanks!
|