store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Sun Aug 25, 2019 7:49 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 3 posts ] 
Author Message
 Post subject: Firewall config for Explicit FTP over TLS
Unread postPosted: Wed May 03, 2017 6:14 am 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I'm a bit confused as usual, and was hoping I could get some pointers.

On a Plesk 12.5/Onyx boxes under Centos 7 with ASL, customers are unable to use Explicit FTP over TLS. They can connect OK, but the FTP client will then timeout trying to get a directory listing.

The behaviour customers experience is similar to what you'd expect if the client was trying to use "Active" FTP as opposed to PASV mode with normal FTP (not TLS/SSL).

In contrast, Explicit mode works perfectly for me, the difference being that my IP is allowed to access all ports through the ASL firewall, while customers can only access the usual 21, 80 etc.

From this, I'm assuming it is a firewall issue. But port 21 is open, and as far as I'm aware that's all that's needed for incoming. Implicit mode needs 990 but this is Explicit. We don't firewall outgoing ports.

Any ideas?

One thing to note is that this is a Virtuozzo Container, and there can be differences with IPTables and stateful inspection, although I've never encountered any issues with this until now.

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Firewall config for Explicit FTP over TLS
Unread postPosted: Fri May 05, 2017 9:59 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
For passive FTP connections the server needs to open extra ports. This is normally done automatically on the fly by the ftp_conntrack firewall module. However, when FTP traffic is encrypted, it is impossible for the firewall to track the FTP connection. Thus, if you want to be able to use encrypted FTP with passive connections, you need to allow packets to the configured passive FTP ports beforehand.

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Firewall config for Explicit FTP over TLS
Unread postPosted: Fri May 05, 2017 12:53 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Aha. Makes sense. Thank you again!

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group