on /Fri Mar 2 02:34:21 EST 2012 /John R. Pierce wrote; >On 03/01/12 11:09 PM, Bob Hoffman wrote: >>/ vsftp works fine in regular mode, going to ssl I got issues. I get as />>/ far as 'directory listing' and it dies. It times out and disconnects. / >if you need secure file transfer, use sftp/scp, not ftp-over-ssl... >ftp-over-ssl is a mess. Well, I got it working but not sure I want to leave it that way.... 1- added these lines to vsftp.conf listen_port=5000 ftp_data_port=4999 pasv_min_port=5001 pasv_max_port=5100 (hopefully these ports are not used by anything._) commented out the line, diisabling it. #connect_from_port_20=YES The above lines solve the issue of the ssl getting kind of lost since the iptable module conntrack cannot quite grasp ssl dealings in this regard. These lines set specific ports to be used for, well, for whatever the heck vsftp needs all those ports for. The min/max could be lower I guess, but what the heck. IPTABLES required a nice bunch of junk too. -A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport 4999 -j ACCEPT -A INPUT -m state --state NEW,ESTABLISHED -m tcp -p tcp --dport 5000 -j ACCEPT -A INPUT -p tcp --dport 5001:5100 -j ACCEPT and of course you can kill the port 21 iptable listing as it will not work anymore. (could port 20 and 21 still be used? I guess so, did not test that). I wonder how safe that is to make such a huge hole in your firewall...? you can see where the numbers added in vsftp.conf correspond with the iptables set up. To finalize, here is the additions to the vsftp.conf file listen_port=5000 ftp_data_port=4999 pasv_min_port=5001 pasv_max_port=5100 ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=NO ssl_sslv3=NO rsa_cert_file=/etc/pki/tls/certs/vsftpd.pem ssl_ciphers=HIGH so there you have it, ssl over ftp with centos 6. Not sure how safe the whole 100 ports open thing is (you need ports to be open depending on number of users I guess, I am gonna lower it to 20 I think)