Re: SecureFTP through firewall fails

From: Joachim Schipper (jDOTschipper_at_math.uu.nl)
Date: 01/27/05 

Date: 27 Jan 2005 00:53:28 GMT

Sachin <sachinajoshi@gmail.com> wrote:
> Hi friends,
>
> I am trying for Secure FTP conneciton through firewall, but it is
> failing before the SSL handshake.
> FTP client starts the handshake & sends the client Hello message to
> server, but before I receive server Hello, the conneciton is broken & I
> get IOException.
> I feel, it is because, server is trying to connect to connect to the
> the client for Data Connection, but failing to get the connection due
> to the firewall rules. We have tried to set different firewall rules by
> referring the data on net, but still it fails.
>
> Has anybody ever tried this ? is there any clue for setting the
> firewall rules for this ?
>
> Any help is appreciated.
>
> Thanks,
> Sachin

Dear Sachin,

just a single pointer, not a complete solution (you didn't give enough
data for that) - but do realize that FTP connection tracking
(ip_conntrack_ftp or whatever it is on your system) does not work with
encrypted traffic (very obvious if you think about it...), so your
firewall cannot automagically open a couple ports when you try to
request data. I've spend quite a few hours debugging this particular
issue...

However, you mention the server not even returning a greeting. This does
not require a data connection, really.

Before continuing, test and post the following using a simple FTP client
that will actually show what's happening (so that you know exactly what
commands were executed and which failed):
        - Can you connect using plain FTP? Login? Get a listing?
        - Idem for encrypted FTP
        - Are you using active or passive FTP? Whichever you use now,
          try the other as well.
        - What does the server show in the logfiles? What does the
          client say, other than IOException (which isn't terribly
          useful)?
        - Is your firewall stateful? Do you open up a range of ports, or
          do you use connection tracking? (If so, see above.) Does it
          work with plain FTP?

                Joachim

Relevant Pages

  • Re: I am having connectivity problems
    ... firewall and turned ON Windows firewall. ... When I tried to install SP2 I was unable to get it thru Windows Update. ... does the connection problem persist? ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Serious Security Issue in Windows XP SP2s Firewall
    ... Subject: AW: Serious Security Issue in Windows XP SP2's Firewall ... If you update a WinXP SP-1 with enabled Internet ... Connection Firewall ...
    (Focus-Microsoft)
  • RE: Serious Security Issue in Windows XP SP2s Firewall
    ... file and printer sharing is available for network login from any network (I ... Internet Connection Sharing of the PC has to be disabled." ... Serious Security Issue in Windows XP SP2's Firewall ...
    (Focus-Microsoft)
  • Re: Still cant connect to RWW or OWA remotely
    ... No, I don't have a 3rd party firewall, and it's a pretty plain vanilla WinXP ... Connected to the network like the other workstations, ... I could go to any workstation and connect to them just fine. ... match the broadband connection, the two NIC firewall, the remote ...
    (microsoft.public.windows.server.sbs)
  • Re: Big hole??
    ... > firewall then even they can't get in, ... > supposedly safe SP2 for Windows XP invites any Internet ... > Connection Sharing of the PC has to be disabled. ... > in fact is a common configuration and not a rare sight. ...
    (microsoft.public.windowsxp.general)