Thomas,
Remember what the FTP proxy's purpose is: it's trying to mediate the connection
between client and server. It's attempting to examine the traffic to see what
commands are being issued, what user is attempting to use the service, and so
on. Because your session is encrypted, it can't determine this information, and
this is why your session fails.
Sep 29 08:49:30 5D:firewall netacl-ftpd[23205]: permit
host=????????.??.??.??/??.???.???.??? service=netacl-ftpd dest=???.???.???.???
port=21 execute=/usr/etc/ftp-gw
Sep 29 08:49:30 5D:firewall ftp-gw[23205]: permit
host=????????.??.??.??/??.???.???.??? connect to ???.???.???.???
Sep 29 08:49:35 5D:firewall authsrv[23206]: BADAUTH SSL (ftp-gw
????????.??.??.??/??.???.???.???)
Sep 29 08:49:38 5D:firewall ftp-gw[23205]: exit
host=????????.??.??.??/??.???.???.??? cmds=3 in=0 out=0 user=unauth duration=8
Because you're using encrypted FTP, an application-level gateway is pretty much
useless anyway. Turn off the FTP proxy (ftp-gw) and use a generic TCP plug
(plug-gw) on the same port.
You might run into other FTP problems, though, such as not being able to connect
to high-numbered ports and inbound connection attempts. I've never used "SSLftp"
before so I can't advise you in this respect. Is it similar to the FTP
functionality of SSHv2? Or is "SSLftp" just a catchy name for SSHv2?
Good luck,
Christopher Zarcone
Network Security Consultant
RPM Consulting, Inc.
#include <std.disclaimer.h>
My opinions are completely my own and based on no useful knowledge whatsoever,
and in fact should not be considered by anyone.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
