-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 2017-12-06 04:15, Benny Pedersen via Shorewall-users wrote: >> You have to open (forward) all of these ports because you cannot >> know which port will be selected for the specific connection. >> Helpers like ip_conntrack_ftp don't support encryption. > > is ssl tls using non default port 21 ? > > conntracker only know default port 21, but if ssl tls using other > ports it could be added to conntracker imho so it works the kernel > way > > no ?
Well, there are two FTP modes using TLS: - - Explicit FTPS (you connect via plaintext but immediately issue "AUTH TLS" command to switch into secure (TLS) mode). - - Implicit FTPS (right from the beginning you create a TLS connection). Due to this technical requirement (allow plaintext vs require TLS from the beginning) both modes cannot run together. You need an own port for each. Explicit FTPS keeps using port 21 in most setups and implicit FTPS is using port 990 per default. However, some people don't like that and say "Implicit FTPS is dead, use explicit FTPS (i.e. "AUTH TLS") only" (same with IMAP: port 143 and "STARTSSL" vs. port 993 requiring TLS from the beginning). I prefer the latter because have you checked all the clients out there if they gracefully handle a REJECT when tryting to swich to TLS mode? My fear is that some clients maybe continue in plaintext... Anyways, encryption happens in user space (=ftpd) but the helper modules are running in the kernel. To work they must read what the ftpd is doing. Normally they hook into the traffic so they know "Ah, ftpd told client to use port X for this connection" [1] and open the port. But due to TLS they cannot read the communication (doesn't matter if using explicit or implicit mode or if you just use another port). That's why your only option left when you want to provide a stable but firewalled FTP service is to instruct your ftpd to use specific ports. This allows you to set up your firewall accordingly. See also: ========= [1] https://github.com/torvalds/linux/blob/master/net/netfilter/nf_conntrack_ftp.c#L291 - -- Regards, Thomas Deutschmann / Gentoo Linux Developer C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQKTBAEBCgB9FiEEM8WEgsQCKS0uPFwGlwn5DDyW/8gFAlooGpdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDMz QzU4NDgyQzQwMjI5MkQyRTNDNUMwNjk3MDlGOTBDM0M5NkZGQzgACgkQlwn5DDyW /8guBA//Slx391nlH3jpz+fbbGn1aEqHHZywgJjoNGm2OiYhMG4TiRdLPvqbG7sb TZMD/4+UwBPi066IceI2RSEiyU/ckCoA2UYJZvtqYmSPPxIsoJLmx2WuXQDK9hNu X9BdHxUAly7yALl8tiE6B3DH26+hUEER9HvoIpJTCdTMjTvk/uUxwiG6IuI+au44 6xZYC8KHJn0Xlyttol50PxEUa4jvnYsAYPLiEFl3yA5zCQFGFKOb7i4IvF1Me86M sQshbjPFAQ7DfyPvuVhENQwLaIRviMhXCIyRDhnQ3ifnaZid4xGOfeKgJM2t7aN4 Xc2r/ZhlEGTaMO7MIsqXgpz+PXUrI6+3+nIxbCg0yywO6kps5AqVGhYlPXSMGpOX DYYE5hECsxLs49R/pgqlHgA9s4W3jwnZQF87wMiou/seJl/ySllXmrOpOk+jVV9j SzAaA1EZb51cKtzqAfG1SUEqZO8Kjng34mz3qGTfJXg7eYFAL9tvKndXU1hV03S9 0RvfbCElQJ1bMTfozBn306a9h93NjjDBYb8l3/5tDlt6QJq0gZ+M+xXBXKB7xGTI gaLCp4pvDc+gVqg4zt8imlo2m7ZePcjrn9nOR7LSCtAx0PdFQxfVsJHpaCXi/b9U hHJ5nZu/vefywrvGbx11LKz8fycAktxH/s+iU7IIQPWCqeVc974= =lnkc -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users