----- Original Message ----- From: "Stuart J. Browne" <stuart@xxxxxxxxxxxxx> To: <netfilter@xxxxxxxxxxxxxxxxxxx> Sent: Wednesday, November 05, 2003 4:33 AM Subject: RE: ftp and ssl > > > >-----Original Message----- > >From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > >[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ted Kaczmarek > >Sent: Wednesday, 5 November 2003 13:03 > >To: Michael Klinteberg > >Cc: netfilter@xxxxxxxxxxxxxxxxxxx > >Subject: Re: ftp and ssl > > > > > >Allow tcp port 443 :-) > > > >Ted > >On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote: > >> I need to setup ftp that use ssl. I don't know if > >ip_conntrack_ftp supports > >> ssl. What are my options here? > >> What do I need to know to setup the iptables rules/modules? > >> > >> Regards > >> Michael > > Isn't 443 SSL over HTTP? :) > > By default, it looks as if netfilter only watch port 21, but you can > pass it an option (called 'ports') of the ports you want to treat as FTP > as well. > > How are you doing SSL FTP's? WS_FTP Server. > > Using ssh's sftp? This just uses standard ssh ports. > > SSL FTP client (does anybody use this?) I beleive has the > services entry of 'sftp' and is port 115. I've not seen a production > implementation of this though > > If using 'sftp' from the OpenSSH packages, there is no need for any > conntrack helpers, as it all uses the same port. > > If using the later however, given that the channel will be encrypted, I > don't see how this conntrack would work at all. > > just my thoughts.. > A lot of responses here :-) Still don't know what to do? I could however set up rules that allow everything from the ftp client (me) to the ftp server and then run tcpdump and see what's going on. Is this a god approach? /Michael K
