On November 5, 2003 05:26 pm, Michael Klinteberg wrote: > ----- Original Message ----- > From: "Stuart J. Browne" <stuart@xxxxxxxxxxxxx> > To: <netfilter@xxxxxxxxxxxxxxxxxxx> > Sent: Wednesday, November 05, 2003 4:33 AM > Subject: RE: ftp and ssl > > > >-----Original Message----- > > >From: netfilter-admin@xxxxxxxxxxxxxxxxxxx > > >[mailto:netfilter-admin@xxxxxxxxxxxxxxxxxxx] On Behalf Of Ted Kaczmarek > > >Sent: Wednesday, 5 November 2003 13:03 > > >To: Michael Klinteberg > > >Cc: netfilter@xxxxxxxxxxxxxxxxxxx > > >Subject: Re: ftp and ssl > > > > > > > > >Allow tcp port 443 :-) > > > > > >Ted > > > > > >On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote: > > >> I need to setup ftp that use ssl. I don't know if > > > > > >ip_conntrack_ftp supports > > > > > >> ssl. What are my options here? > > >> What do I need to know to setup the iptables rules/modules? > > >> > > >> Regards > > >> Michael > > > > Isn't 443 SSL over HTTP? :) > > > > By default, it looks as if netfilter only watch port 21, but you can > > pass it an option (called 'ports') of the ports you want to treat as FTP > > as well. > > > > How are you doing SSL FTP's? > > WS_FTP Server. > > > Using ssh's sftp? This just uses standard ssh ports. > > > > SSL FTP client (does anybody use this?) I beleive has the > > services entry of 'sftp' and is port 115. I've not seen a production > > implementation of this though > > > > If using 'sftp' from the OpenSSH packages, there is no need for any > > conntrack helpers, as it all uses the same port. > > > > If using the later however, given that the channel will be encrypted, I > > don't see how this conntrack would work at all. > > > > just my thoughts.. > > A lot of responses here :-) Still don't know what to do? > I could however set up rules that allow everything from the ftp client (me) > to the ftp server and then run tcpdump and see what's going on. Is this a > god approach? I don't know that god would use that approach *grin* but it would be a start. you could use -j LOG to catalog what packets are being dropped. give me a few hours .. I've a friend with WS_FTP server running in *cough* that other operating system, and he might have hints for me. If I get anything interesting I'll let the list know. > > /Michael K -- Alistair Tonner nerdnet.ca Senior Systems Analyst - RSS Any sufficiently advanced technology will have the appearance of magic. Lets get magical!
