* ftp and ssl @ 2003-11-04 14:36 Michael Klinteberg 2003-11-05 3:03 ` Ted Kaczmarek 0 siblings, 1 reply; 9+ messages in thread From: Michael Klinteberg @ 2003-11-04 14:36 UTC (permalink / raw) To: netfilter I need to setup ftp that use ssl. I don't know if ip_conntrack_ftp supports ssl. What are my options here? What do I need to know to setup the iptables rules/modules? Regards Michael ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp and ssl 2003-11-04 14:36 ftp and ssl Michael Klinteberg @ 2003-11-05 3:03 ` Ted Kaczmarek 2003-11-05 3:33 ` Stuart J. Browne 0 siblings, 1 reply; 9+ messages in thread From: Ted Kaczmarek @ 2003-11-05 3:03 UTC (permalink / raw) To: Michael Klinteberg; +Cc: netfilter Allow tcp port 443 :-) Ted On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote: > I need to setup ftp that use ssl. I don't know if ip_conntrack_ftp supports > ssl. What are my options here? > What do I need to know to setup the iptables rules/modules? > > Regards > Michael ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: ftp and ssl 2003-11-05 3:03 ` Ted Kaczmarek @ 2003-11-05 3:33 ` Stuart J. Browne 2003-11-05 9:37 ` Maciej Soltysiak 2003-11-05 22:26 ` Michael Klinteberg 0 siblings, 2 replies; 9+ messages in thread From: Stuart J. Browne @ 2003-11-05 3:33 UTC (permalink / raw) To: netfilter >-----Original Message----- >From: netfilter-admin@lists.netfilter.org >[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ted Kaczmarek >Sent: Wednesday, 5 November 2003 13:03 >To: Michael Klinteberg >Cc: netfilter@lists.netfilter.org >Subject: Re: ftp and ssl > > >Allow tcp port 443 :-) > >Ted >On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote: >> I need to setup ftp that use ssl. I don't know if >ip_conntrack_ftp supports >> ssl. What are my options here? >> What do I need to know to setup the iptables rules/modules? >> >> Regards >> Michael Isn't 443 SSL over HTTP? :) By default, it looks as if netfilter only watch port 21, but you can pass it an option (called 'ports') of the ports you want to treat as FTP as well. How are you doing SSL FTP's? Using ssh's sftp? This just uses standard ssh ports. SSL FTP client (does anybody use this?) I beleive has the services entry of 'sftp' and is port 115. I've not seen a production implementation of this though. If using 'sftp' from the OpenSSH packages, there is no need for any conntrack helpers, as it all uses the same port. If using the later however, given that the channel will be encrypted, I don't see how this conntrack would work at all. just my thoughts.. ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: ftp and ssl 2003-11-05 3:33 ` Stuart J. Browne @ 2003-11-05 9:37 ` Maciej Soltysiak 2003-11-05 10:10 ` Marcin Kaminski 2003-11-05 22:26 ` Michael Klinteberg 1 sibling, 1 reply; 9+ messages in thread From: Maciej Soltysiak @ 2003-11-05 9:37 UTC (permalink / raw) To: Stuart J. Browne; +Cc: netfilter > Isn't 443 SSL over HTTP? :) You can use SSL over anything. telnet over SSL is called ssh. > SSL FTP client (does anybody use this?) Sure, some people use this. (Not me, yet) It works like ftp or http - requires to exchange an x.509 certificate and then goes on with an encrypted conenction. > I beleive has the services entry of 'sftp' and is port 115. I've not > seen a production implementation of this though. I have not been using that ssl ftp, but I am sure it is not sftp, nor OpenSSH related. > If using the later however, given that the channel will be encrypted, I > don't see how this conntrack would work at all. If ftp-control is encrypted too, connection tracking is impossible. And doing rewriting over nat even more impossible. Regards, Maciej ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: ftp and ssl 2003-11-05 9:37 ` Maciej Soltysiak @ 2003-11-05 10:10 ` Marcin Kaminski 2003-11-05 10:41 ` Maciej Soltysiak 0 siblings, 1 reply; 9+ messages in thread From: Marcin Kaminski @ 2003-11-05 10:10 UTC (permalink / raw) To: Maciej Soltysiak; +Cc: Stuart J. Browne, netfilter On Wed, 5 Nov 2003, Maciej Soltysiak wrote: > > Isn't 443 SSL over HTTP? :) > You can use SSL over anything. Not quite, You can use almost anything over SSL rather than reverse. > telnet over SSL is called ssh. No, it is not. SSH is also based on SSL but it is not just telnet over SSL. Telnet over SSL is telnet over SSL. > > SSL FTP client (does anybody use this?) > Sure, some people use this. (Not me, yet) It works like ftp or http - > requires to exchange an x.509 certificate and then goes on with an encrypted > conenction. And It can be used to encrypt only control stream, or both data and control streams. > I have not been using that ssl ftp, but I am sure it is not sftp, nor > OpenSSH related. And You are right :) I use 'lftp' client to connect to SSL protected FTP. > > If using the later however, given that the channel will be encrypted, I > > don't see how this conntrack would work at all. > If ftp-control is encrypted too, connection tracking is impossible. > And doing rewriting over nat even more impossible. I'm not sure if one can encrypt only ftp-data. In 'lftp' configuration there is option to optionally encrypt ftp-data and ftp-control is encrypted always when using SSL. Latest draft about the topic is in: http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-12.txt Regards ^ permalink raw reply [flat|nested] 9+ messages in thread
* RE: ftp and ssl 2003-11-05 10:10 ` Marcin Kaminski @ 2003-11-05 10:41 ` Maciej Soltysiak 0 siblings, 0 replies; 9+ messages in thread From: Maciej Soltysiak @ 2003-11-05 10:41 UTC (permalink / raw) To: Marcin Kaminski; +Cc: Stuart J. Browne, netfilter > > You can use SSL over anything. > > Not quite, You can use almost anything over SSL rather than reverse. You got me there. > > telnet over SSL is called ssh. > > No, it is not. SSH is also based on SSL but it is not just telnet over > SSL. Telnet over SSL is telnet over SSL. Ok, that simplifaction was to far going. > > Sure, some people use this. (Not me, yet) It works like ftp or http - > > requires to exchange an x.509 certificate and then goes on with an encrypted > > conenction. > > And It can be used to encrypt only control stream, or both data and > control streams. So connection tracking is out of the question. However, the router could act as a 'man in the middle' ssl proxy, and then it could decrypt ftp-control and track these connections. Is there any software that actually does that to aid netfilter? > Latest draft about the topic is in: > http://www.ietf.org/internet-drafts/draft-murray-auth-ftp-ssl-12.txt So it's still a draft, no wonder I never got to reading that :) > Regards Regards, Maciej ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp and ssl 2003-11-05 3:33 ` Stuart J. Browne 2003-11-05 9:37 ` Maciej Soltysiak @ 2003-11-05 22:26 ` Michael Klinteberg 2003-11-05 23:59 ` Alistair Tonner 2003-11-06 8:12 ` Maciej Soltysiak 1 sibling, 2 replies; 9+ messages in thread From: Michael Klinteberg @ 2003-11-05 22:26 UTC (permalink / raw) To: netfilter ----- Original Message ----- From: "Stuart J. Browne" <stuart@promed.com.au> To: <netfilter@lists.netfilter.org> Sent: Wednesday, November 05, 2003 4:33 AM Subject: RE: ftp and ssl > > > >-----Original Message----- > >From: netfilter-admin@lists.netfilter.org > >[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ted Kaczmarek > >Sent: Wednesday, 5 November 2003 13:03 > >To: Michael Klinteberg > >Cc: netfilter@lists.netfilter.org > >Subject: Re: ftp and ssl > > > > > >Allow tcp port 443 :-) > > > >Ted > >On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote: > >> I need to setup ftp that use ssl. I don't know if > >ip_conntrack_ftp supports > >> ssl. What are my options here? > >> What do I need to know to setup the iptables rules/modules? > >> > >> Regards > >> Michael > > Isn't 443 SSL over HTTP? :) > > By default, it looks as if netfilter only watch port 21, but you can > pass it an option (called 'ports') of the ports you want to treat as FTP > as well. > > How are you doing SSL FTP's? WS_FTP Server. > > Using ssh's sftp? This just uses standard ssh ports. > > SSL FTP client (does anybody use this?) I beleive has the > services entry of 'sftp' and is port 115. I've not seen a production > implementation of this though > > If using 'sftp' from the OpenSSH packages, there is no need for any > conntrack helpers, as it all uses the same port. > > If using the later however, given that the channel will be encrypted, I > don't see how this conntrack would work at all. > > just my thoughts.. > A lot of responses here :-) Still don't know what to do? I could however set up rules that allow everything from the ftp client (me) to the ftp server and then run tcpdump and see what's going on. Is this a god approach? /Michael K ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp and ssl 2003-11-05 22:26 ` Michael Klinteberg @ 2003-11-05 23:59 ` Alistair Tonner 2003-11-06 8:12 ` Maciej Soltysiak 1 sibling, 0 replies; 9+ messages in thread From: Alistair Tonner @ 2003-11-05 23:59 UTC (permalink / raw) To: Michael Klinteberg, netfilter On November 5, 2003 05:26 pm, Michael Klinteberg wrote: > ----- Original Message ----- > From: "Stuart J. Browne" <stuart@promed.com.au> > To: <netfilter@lists.netfilter.org> > Sent: Wednesday, November 05, 2003 4:33 AM > Subject: RE: ftp and ssl > > > >-----Original Message----- > > >From: netfilter-admin@lists.netfilter.org > > >[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Ted Kaczmarek > > >Sent: Wednesday, 5 November 2003 13:03 > > >To: Michael Klinteberg > > >Cc: netfilter@lists.netfilter.org > > >Subject: Re: ftp and ssl > > > > > > > > >Allow tcp port 443 :-) > > > > > >Ted > > > > > >On Tue, 2003-11-04 at 09:36, Michael Klinteberg wrote: > > >> I need to setup ftp that use ssl. I don't know if > > > > > >ip_conntrack_ftp supports > > > > > >> ssl. What are my options here? > > >> What do I need to know to setup the iptables rules/modules? > > >> > > >> Regards > > >> Michael > > > > Isn't 443 SSL over HTTP? :) > > > > By default, it looks as if netfilter only watch port 21, but you can > > pass it an option (called 'ports') of the ports you want to treat as FTP > > as well. > > > > How are you doing SSL FTP's? > > WS_FTP Server. > > > Using ssh's sftp? This just uses standard ssh ports. > > > > SSL FTP client (does anybody use this?) I beleive has the > > services entry of 'sftp' and is port 115. I've not seen a production > > implementation of this though > > > > If using 'sftp' from the OpenSSH packages, there is no need for any > > conntrack helpers, as it all uses the same port. > > > > If using the later however, given that the channel will be encrypted, I > > don't see how this conntrack would work at all. > > > > just my thoughts.. > > A lot of responses here :-) Still don't know what to do? > I could however set up rules that allow everything from the ftp client (me) > to the ftp server and then run tcpdump and see what's going on. Is this a > god approach? I don't know that god would use that approach *grin* but it would be a start. you could use -j LOG to catalog what packets are being dropped. give me a few hours .. I've a friend with WS_FTP server running in *cough* that other operating system, and he might have hints for me. If I get anything interesting I'll let the list know. > > /Michael K -- Alistair Tonner nerdnet.ca Senior Systems Analyst - RSS Any sufficiently advanced technology will have the appearance of magic. Lets get magical! ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: ftp and ssl 2003-11-05 22:26 ` Michael Klinteberg 2003-11-05 23:59 ` Alistair Tonner @ 2003-11-06 8:12 ` Maciej Soltysiak 1 sibling, 0 replies; 9+ messages in thread From: Maciej Soltysiak @ 2003-11-06 8:12 UTC (permalink / raw) To: Michael Klinteberg; +Cc: netfilter > A lot of responses here :-) Still don't know what to do? > I could however set up rules that allow everything from the ftp client (me) > to the ftp server and then run tcpdump and see what's going on. Is this a > god approach? Using tcpdump is always a good approach. Regards, Maciej ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2003-11-06 8:12 UTC | newest] Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2003-11-04 14:36 ftp and ssl Michael Klinteberg 2003-11-05 3:03 ` Ted Kaczmarek 2003-11-05 3:33 ` Stuart J. Browne 2003-11-05 9:37 ` Maciej Soltysiak 2003-11-05 10:10 ` Marcin Kaminski 2003-11-05 10:41 ` Maciej Soltysiak 2003-11-05 22:26 ` Michael Klinteberg 2003-11-05 23:59 ` Alistair Tonner 2003-11-06 8:12 ` Maciej Soltysiak
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.