On Wed, 2004-09-15 at 12:44, yann Conan wrote: > Hi all, > > I'm trying to configure a iptables firewall in a > structure in double bastion mode. > > this is the configuration: > internet > : > : > : > FW (RH/iptables) > : > : > : > DMZ/w2k/FTPS server > : > : > : > FW(w2k/Isa server) > : > : > : > LAN > > the tranfer of the data from the FTP server must be > protected with SSL (no SSH) > > for the FTP transfer I make a portForwarding with > ip_conntrack_ftp and it works. > > but now I would like to know how I have to do to > PortForward ftp data with SSL. > There is a problem because iptables must find during > the FTP connect the random client port in active FTP > or the random server port in passive FTP. And if it's > encrypted with SSL it's impossible for iptables to > find the right ports. correct. > Then I would like to know if it is possible for > iptables to read SSL or if there is a possibility to > unencrypt in input, read the FTP connect with > ip_conntrack_ftp and re-encrypt in output. no. connection tracking an SSL-encrypted FTP session is impossible for the exact reasons you describe. i once came across an FTP over SSL client/server that used something called "Clear Control Channel" that after the user was authenticated, switched the control channel from SSL to clear text to allow firewalls to read the responses to PASV requests. it was proprietary and closed, though. setup the FTP to respond with a fixed range of ports for passive mode requests and allow all those ports through to the FTP server--it's your only option. -j -- Jason Opperisano <opie@xxxxxxxxxxx>
