Witajcie, > Rece mi juz opadaja, nie mam pomyslu ;( Prosze o pomoc jesli ktos ma > jakis pomysl.
jak rozwiazac - ja rowniez nie mam, moze ktos wymysli cos ? Zastanawiam sie nad PassivePorts - jak to sie spisuje. Ile tych portow trzeba dac i czy to ma sens. [czyt dalej] natomiast co jest przyczyna: > jak skonfigurowac - i co jest przyczyna ... > Problem firewalla ? tak. PL: polaczenie ktore bedzie nawiazane bedzie na innym porcie niz 21. oczywiste. natomiast kanal jest juz szyfrowany i kernel nie jest w stanie wyczaic jakie porty ma przekazac. Jesli by DMZta nie bylo, bylby chyba spokoj. Stare RFC pozwalaly na extra port 990 dla TLSa, ale w proftpd chyba nie supportowane :( skzoda. ANG: cyt: Question: Using mod_tls, FTP sessions through my firewall now no longer work. What's going on? Answer: The short answer is that FTPS and firewalls (and devices performing NAT) do not interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls. In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established. In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know which on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using the PassivePorts directive), FTPS should function without issue. Unfortunately, this is a rather intractable--and known--issue. Earlier versions of the Draft defining FTPS used to allow something known as "implicit" FTPS, by which a client could contact a well-known port (akin to port 443 for HTTPS; FTPS used port 990) and the server, simply because the client contacted that certain port, would automatically encrypt the session. This approach has several drawbacks (the reason why it was removed from later versions of the Draft), but it did allow for simple TCP proxying. There has been no replacement. [http://www.castaglia.org/proftpd/doc/contrib/ProFTPD-mini-HOWTO-TLS.html] -- Pozdrawiam, Marcin.
