Thank you,
I will check it. But - is this only possible solution?
SFTP I am using only for administration purposes (yeah, it is quite easy to set it up :-D) and it´s better for me, to make FTPS for customers and SFTP only for me.
2009/1/26 German Andres Pulido gpulido@gtscolombia.com:
Hello,
I am setting up ProFTPd daemon (from EPEL repository) under CentOS 5.2 and I need encrypted connection. Daemon is configured perfectly, there is no problem - if iptables is off connection is smoothly established, but when iptables is on, connection in FTP client ends on command LIST without response. Last command with response (positive) is PASV.
Thank you for your replies Martin Šťastný _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi!
The issue is probably with the way FTP is handled. I see two possible solutions:
- Use the ip_conntrack_ftp module of IPtables. What this does is setting
iptables aware that the data FTP connection should also be allowed since it's related to the original one on port 21. Google for more info on it (and the exact module name)
- If you only need encrypted traffic, using SFTP makes sense. It only uses
the port 22 (It's a subsystem of SSH) and its encryption is very good.
Regards.
On Mon, Jan 26, 2009 at 06:48:15PM +0100, happymaster23 wrote:
Thank you,
I will check it. But - is this only possible solution?
SFTP I am using only for administration purposes (yeah, it is quite easy to set it up :-D) and it´s better for me, to make FTPS for customers and SFTP only for me.
I don't know that that ip_conntrack_ftp would work with TLS encrypted FTP[1]. It wouldn't be able to "peer" into the FTP stream to determine the appropriate data ports to open on the firewall.
Your best bet would be to configure ProFTPD to use a predefined range of passive FTP ports and then just ensure those are opened via iptables.
Ray
[1] There are options here such as only encrypting the authentication portion of the connection or CCC, etc...
happymaster23 wrote:
Thank you,
I will check it. But - is this only possible solution?
SFTP I am using only for administration purposes (yeah, it is quite easy to set it up :-D) and it´s better for me, to make FTPS for customers and SFTP only for me.
If you control the other end as well, why not use scp or rsync over ssh which are easier to script anyway?
You know, because I am to lazy. All users has shell /sbin/nologin and all security this are set to only one account via SSH. I am normally providing FTP access for users and is much easier to give them secured FTP than other method (SFTP) imcompatible with FTP.
I have an idea - if I use CentOS native FTP daemon (vsFTPd I think), will there be any change or there is no sense?
Thank you very much
2009/1/26 Les Mikesell lesmikesell@gmail.com:
happymaster23 wrote:
Thank you,
I will check it. But - is this only possible solution?
SFTP I am using only for administration purposes (yeah, it is quite easy to set it up :-D) and it´s better for me, to make FTPS for customers and SFTP only for me.
If you control the other end as well, why not use scp or rsync over ssh which are easier to script anyway?
-- Les Mikesell lesmikesell@gmail.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
happymaster23 -
Les Mikesell -
Ray Van Dolson