ftp and ssl

ftp and ssl

[Michael Klinteberg]

I need to setup ftp that use ssl. I don't know if ip_conntrack_ftp supports
ssl. What are my options here?
What do I need to know to setup the iptables rules/modules?

Regards
Michael

Re: ftp and ssl

[Ted Kaczmarek]

Allow tcp port 443 :-)

Ted
On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote:
> I need to setup ftp that use ssl. I don't know if ip_conntrack_ftp supports
> ssl. What are my options here?
> What do I need to know to setup the iptables rules/modules?
> 
> Regards
> Michael

RE: ftp and ssl

[Stuart J. Browne]

>-----Original Message-----
>From: netfilter-admin@lists.netfilter.org 
>[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ted Kaczmarek
>Sent: Wednesday, 5 November 2003 13:03
>To: Michael Klinteberg
>Cc: netfilter@lists.netfilter.org
>Subject: Re: ftp and ssl
>
>
>Allow tcp port 443 :-)
>
>Ted
>On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote:
>> I need to setup ftp that use ssl. I don't know if 
>ip_conntrack_ftp supports
>> ssl. What are my options here?
>> What do I need to know to setup the iptables rules/modules?
>> 
>> Regards
>> Michael

Isn't 443 SSL over HTTP? :)

By default, it looks as if netfilter only watch port 21, but you can
pass it an option (called 'ports') of the ports you want to treat as FTP
as well.

How are you doing SSL FTP's?

	Using ssh's sftp? This just uses standard ssh ports.

	SSL FTP client (does anybody use this?) I beleive has the
services entry of 'sftp' and is port 115.  I've not seen a production
implementation of this though.


If using 'sftp' from the OpenSSH packages, there is no need for any
conntrack helpers, as it all uses the same port.

If using the later however, given that the channel will be encrypted, I
don't see how this conntrack would work at all.

just my thoughts..

RE: ftp and ssl

[Maciej Soltysiak]

> Isn't 443 SSL over HTTP? :)
You can use SSL over anything.
telnet over SSL is called ssh.

> 	SSL FTP client (does anybody use this?)
Sure, some people use this. (Not me, yet) It works like ftp or http -
requires to exchange an x.509 certificate and then goes on with an encrypted
conenction.

> I beleive has the services entry of 'sftp' and is port 115.  I've not
> seen a production implementation of this though.
I have not been using that ssl ftp, but I am sure it is not sftp, nor
OpenSSH related.

> If using the later however, given that the channel will be encrypted, I
> don't see how this conntrack would work at all.
If ftp-control is encrypted too, connection tracking is impossible.
And doing rewriting over nat even more impossible.

Regards,
Maciej

RE: ftp and ssl

[Marcin Kaminski]

On Wed, 5 Nov 2003, Maciej Soltysiak wrote:

> > Isn't 443 SSL over HTTP? :)
> You can use SSL over anything.

Not quite, You can use almost anything over SSL rather than reverse.

> telnet over SSL is called ssh.

No, it is not. SSH is also based on SSL but it is not just telnet over
SSL. Telnet over SSL is telnet over SSL.

> > 	SSL FTP client (does anybody use this?)
> Sure, some people use this. (Not me, yet) It works like ftp or http -
> requires to exchange an x.509 certificate and then goes on with an encrypted
> conenction.

And It can be used to encrypt only control stream, or both data and
control streams.

> I have not been using that ssl ftp, but I am sure it is not sftp, nor
> OpenSSH related.

And You are right :) I use 'lftp' client to connect to SSL protected FTP.

> > If using the later however, given that the channel will be encrypted, I
> > don't see how this conntrack would work at all.
> If ftp-control is encrypted too, connection tracking is impossible.
> And doing rewriting over nat even more impossible.

I'm not sure if one can encrypt only ftp-data. In 'lftp' configuration
there is option to optionally encrypt ftp-data and ftp-control is
encrypted always when using SSL.

Latest draft about the topic is in:
http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-12.txt

Regards

RE: ftp and ssl

[Maciej Soltysiak]

> > You can use SSL over anything.
>
> Not quite, You can use almost anything over SSL rather than reverse.
You got me there.

> > telnet over SSL is called ssh.
>
> No, it is not. SSH is also based on SSL but it is not just telnet over
> SSL. Telnet over SSL is telnet over SSL.
Ok, that simplifaction was to far going.

> > Sure, some people use this. (Not me, yet) It works like ftp or http -
> > requires to exchange an x.509 certificate and then goes on with an encrypted
> > conenction.
>
> And It can be used to encrypt only control stream, or both data and
> control streams.
So connection tracking is out of the question. However, the router could
act as a 'man in the middle' ssl proxy, and then it could decrypt
ftp-control and track these connections. Is there any software that
actually does that to aid netfilter?

> Latest draft about the topic is in:
> http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-12.txt
So it's still a draft, no wonder I never got to reading that :)

> Regards
Regards,
Maciej

Re: ftp and ssl

[Michael Klinteberg]

----- Original Message ----- 
From: "Stuart J. Browne" <stuart@promed.com.au>
To: <netfilter@lists.netfilter.org>
Sent: Wednesday, November 05, 2003 4:33 AM
Subject: RE: ftp and ssl


>
>
> >-----Original Message-----
> >From: netfilter-admin@lists.netfilter.org
> >[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ted Kaczmarek
> >Sent: Wednesday, 5 November 2003 13:03
> >To: Michael Klinteberg
> >Cc: netfilter@lists.netfilter.org
> >Subject: Re: ftp and ssl
> >
> >
> >Allow tcp port 443 :-)
> >
> >Ted
> >On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote:
> >> I need to setup ftp that use ssl. I don't know if
> >ip_conntrack_ftp supports
> >> ssl. What are my options here?
> >> What do I need to know to setup the iptables rules/modules?
> >>
> >> Regards
> >> Michael
>
> Isn't 443 SSL over HTTP? :)
>
> By default, it looks as if netfilter only watch port 21, but you can
> pass it an option (called 'ports') of the ports you want to treat as FTP
> as well.
>
> How are you doing SSL FTP's?

WS_FTP Server.

>
> Using ssh's sftp? This just uses standard ssh ports.
>
> SSL FTP client (does anybody use this?) I beleive has the
> services entry of 'sftp' and is port 115.  I've not seen a production
> implementation of this though
>
> If using 'sftp' from the OpenSSH packages, there is no need for any
> conntrack helpers, as it all uses the same port.
>
> If using the later however, given that the channel will be encrypted, I
> don't see how this conntrack would work at all.
>
> just my thoughts..
>


A lot of responses  here :-) Still don't know what to do?
I could however set up rules that allow everything from the ftp client (me)
to the ftp server and then run tcpdump and see what's going on. Is this a
god approach?

/Michael K

Re: ftp and ssl

[Alistair Tonner]

On November 5, 2003 05:26 pm, Michael Klinteberg wrote:
> ----- Original Message -----
> From: "Stuart J. Browne" <stuart@promed.com.au>
> To: <netfilter@lists.netfilter.org>
> Sent: Wednesday, November 05, 2003 4:33 AM
> Subject: RE: ftp and ssl
>
> > >-----Original Message-----
> > >From: netfilter-admin@lists.netfilter.org
> > >[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ted Kaczmarek
> > >Sent: Wednesday, 5 November 2003 13:03
> > >To: Michael Klinteberg
> > >Cc: netfilter@lists.netfilter.org
> > >Subject: Re: ftp and ssl
> > >
> > >
> > >Allow tcp port 443 :-)
> > >
> > >Ted
> > >
> > >On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote:
> > >> I need to setup ftp that use ssl. I don't know if
> > >
> > >ip_conntrack_ftp supports
> > >
> > >> ssl. What are my options here?
> > >> What do I need to know to setup the iptables rules/modules?
> > >>
> > >> Regards
> > >> Michael
> >
> > Isn't 443 SSL over HTTP? :)
> >
> > By default, it looks as if netfilter only watch port 21, but you can
> > pass it an option (called 'ports') of the ports you want to treat as FTP
> > as well.
> >
> > How are you doing SSL FTP's?
>
> WS_FTP Server.
>
> > Using ssh's sftp? This just uses standard ssh ports.
> >
> > SSL FTP client (does anybody use this?) I beleive has the
> > services entry of 'sftp' and is port 115.  I've not seen a production
> > implementation of this though
> >
> > If using 'sftp' from the OpenSSH packages, there is no need for any
> > conntrack helpers, as it all uses the same port.
> >
> > If using the later however, given that the channel will be encrypted, I
> > don't see how this conntrack would work at all.
> >
> > just my thoughts..
>
> A lot of responses  here :-) Still don't know what to do?
> I could however set up rules that allow everything from the ftp client (me)
> to the ftp server and then run tcpdump and see what's going on. Is this a
> god approach?
	
	I don't know that god would use that approach *grin* but it would be a start.
	
	you could use -j LOG to catalog what packets are being dropped.
	give me a few hours .. I've a friend with WS_FTP server running in 
	*cough* that other operating system, and he might have hints for me.
	
	If I get anything interesting I'll let the list know.

>
> /Michael K

-- 

	Alistair Tonner
	nerdnet.ca
	Senior Systems Analyst - RSS
	
     Any sufficiently advanced technology will have the appearance of magic.
	Lets get magical!

Re: ftp and ssl

[Maciej Soltysiak]

> A lot of responses  here :-) Still don't know what to do?
> I could however set up rules that allow everything from the ftp client (me)
> to the ftp server and then run tcpdump and see what's going on. Is this a
> god approach?
Using tcpdump is always a good approach.

Regards,
Maciej