Summary: | iptables and passive ftp (vsftpd documentation update request) | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | BoyZonder <boyzonder> |
Component: | New packages | Assignee: | Roy Marples (RETIRED) <uberlord> |
Status: | RESOLVED UPSTREAM | ||
Severity: | enhancement | CC: | jakub |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
BoyZonder
2006-05-28 08:03:15 UTC
It's even more complicated. In fact, pasv_min_port and pasv_max_port is very useful for SSL connections, ip_conntrack_ftp doesn't handle those and you need to open the passive port range in your firewall. Ah, so maybe that's why TLS doesn't work on my vsftpd config :-) If I understand correctly, pasv_min_port and pasv_max_port are mandatory when using SSL/TLS with passive FTP? And ip_conntrack_ftp is not needed in this case? If this is the case, then my follow-up question is about the nature of the ports when doing passive FTP. Is it OK if just one port is used for multiple connections (e.g. pasv_min_port and pasv_max_port are the same)? I read somewhere that this is possible. And if that's true, does it also apply for passive FTP in combination with SSL/TLS? Also, I was wondering whether there's a reason to go with SSL and not TLS, whether TLS should always be used, and whether it's wise to enable all of them (TLS, SSLv2 & SSLv3). Anyway, I still feel it might be a good idea to explain some of this in the config or man file... that would save people a lot of guessing and frustrations. (In reply to comment #2) > Ah, so maybe that's why TLS doesn't work on my vsftpd config :-) > > If I understand correctly, pasv_min_port and pasv_max_port are mandatory when > using SSL/TLS with passive FTP? And ip_conntrack_ftp is not needed in this > case? No, not mandatory, but it makes it possible to limit the port range that must be opened in firewall; otherwise you'll need to open everything from 1024 above. ip_conntrack_ftp is not useful for SSL/TLS, it cannot decode the FTP traffic. And does the same apply when SSL/TLS is used only for login (encryption of username/password) and not for data transfer? (In reply to comment #2) > Is it OK if just one port is used for multiple > connections (e.g. pasv_min_port and pasv_max_port are the same)? I read > somewhere that this is possible. No, that's a very bad idea. You need at least one port for each passive client, so if allow 50 clients e.g., you need 50 ports available at minimum. However, bugzilla is a bad place to discuss this, direct your questions to forums.g.o. or #gentoo. > Anyway, I still feel it might be a good idea to explain some of this in the > config or man file... that would save people a lot of guessing and > frustrations. Sure, but such requests should go upstream, we didn't write vsftpd. I don't think we need to update the default conf file with this. As Jakub says, report your issue upstream if you think the conf file should be updated. Thanks |