On Thu, Feb 12, 2004 at 11:57:26AM +0200, Michael Wood wrote: > On Wed, Feb 11, 2004 at 05:58:05PM +0100, Adam ENDRODI wrote: > > I've got a site running proftpd that only serves files through > > FTP-TLS. The setup works correctly for most cases, with two > > notable exceptions: > > > > -- a collegue of mine has complained that he cannot login > > if the Kerio net-sharing tool is active. He claimed > > that no filtering rule was in effect. OS: W2k > > No idea about this one, unless this net-sharing tool does some sort of > NAT and he's behind the box that's doing the sharing. Never heard of > "Kerio net-sharing tool."
Kerio WinRoute is an all-in-one suite which is capable of filtering, network address translating and can act as a proxy for various protocols. (No ad intended) "net-sharing tool" is the term the collague applied to it. > I'm not sure why it aborts before the authentication, but even if that > worked, I don't see how anything that requires an ftp-data connection > could work through a NAT box. I have never used FTP-TLS and have not > read any RFCs related to it, but unless it works more like HTTP than > FTP, it's not going to work through NAT. It does. One of my test boxen is a Windows 98 and is behind two firewalls and three levels of NAT (actually, masquerading). It works the same way as "Firewall-friendly" (i.e. passive) FTP, though not under any circumstances it seems, to my despair :( > For normal FTP, the NAT box watches the FTP command channel and when it > notices the PORT command or a reply from the PASV command, it sets up a > rule for the data connection. When the command channel is encrypted it > cannot do this. The firewall does not need to watch the PASV commmand unless the *server* is behind the NAT. For the client, it is unnecessary because there is nothing in the PASV line to translate. > It might be possible to install an FTP proxy on the NAT box and get the > clients to connect to that, but they would have to find one that > supports TLS. Yes, there is a program called tlsweap which can do that exactly (we've needed previously as we hadn't find any graphical FTP client for linux which is capable of doing FTP-TLS :-F). Perhaps we get them to install it on their NAT box. Thanks for sharing your thoughs. bit, adam -- Am I a cleric? | 1024D/37B8D989 Or maybe a sinner? | 954B 998A E5F5 BA2A 3622 Unbeliever? | 82DD 54C2 843D 37B8 D989 Renegade? | http://sks.dnsalias.net
