You guys are confusing Ruud.

Bottom line … FTP is not encrypted.

Yes, you can use SFTP (aka FTP over SSH) but then pay attention to what you are 
doing … you’re creating access for ONE service, “SFTP”, thru your Firewall. 
What about all the other services (WWW? NFS? SAMBA? LDAP? And yes, Gopher?) Are 
you going to enable access for each one of those in your Firewall? That seems 
like a lot of work to create and maintain.

A VPN tunnel is “ONE service” that creates an encrypted connection between two 
endpoints, “your originating device” and “the destination network” AND it 
enables other services (unencrypted services like FTP, or Gopher or whatever) 
to use this tunnel and benefit from the encryption the VPN provides.

Said another way … your originating device can be “anywhere”, and after 
establishing a VPN connection to your destination network, your originating 
device IP becomes an IP on your VPN destination network. 

Said a 3ʳᵈ way … I have a network at my Home that I trust. When I go off to my 
coffee shop to work for a “change of scenery”, I open up a VPN connection to my 
Home network and now my device at the coffee shop claims an IP from my Home 
network. It’s as if I am physically located at my Home, except, I’m at the 
Coffee shop.

Using this VPN, any services I use on this Home network, like FTP, or NFS or 
Samba are ENCRYPTED all the way home, then past the endpoint are happening 
unencrypted on a single network, my Home network. In fact, they NEED to be 
unencrypted at HOME, because that’s the way they work.

You get it?

You might be wondering “what’s the endpoint?” For a VPN there are TWO 
endpoints. Your ORIGINATING endpoint (or IP), which can be variable based on 
where you are physically when you initiate your VPN connection (coffee shop, 
mall, whatever) and your DESTINATION endpoint which is Always the same. It’s 
the IP destination for your VPN connection. (PRO TIP: I also use a non-standard 
port for my VPN, in the 40K+ range. So anybody who’s trying to snoop has a lot 
of ports to check)

If you’ve never setup a VPN before these terms might be confusing. I know they 
were confusing for me. It took me a month to properly figure out how to setup 
my first VPN and explore the limits of this new functionality. I encourage you 
to check out WireGuard. Don’t use IPSec or OpenVPN. They suck! I can list many 
reasons WHY they suck. 

I hope this helps a little.

Bill



Sent from my iPhone

> On Mar 16, 2022, at 11:34 AM, Ruud Baart <r.j.ba...@prompt.nl> wrote:
> 
> 
> Hi, 
> 
> I can find quite a lot of documentation concerning a FTP server. But I don't 
> find the way to do it.
> 
> My situation:
> 
>     Internet <--> Firewall <--> FTP server
> 
> Firewall and FTP server are Debian 11 and I use the latest shorewall.
> 
> The Firewall has three public IP addresses, FTP server had no public IP 
> address. Firewall and FTP server are connected to a private 172.23.10.0/24 
> network.
> 
> This setup is new but in fact a replica of the existing situation (I'm moving 
> to a new hosting party). In the existing situation and new situation all 
> works fine (Debian 10) as long as I don't use a certificate. This is the DNAT 
> rule I use:
> 
> SECTION NEW
> FTP(DNAT)   wan1  lan1:$FTP_INT -  -  - $FTP_EXT
> 
> where $FTP_INT and $FTP_EXT the internal and external IP addresses are of the 
> FTPserver.
> 
> As said, works fine as long as I don't use a certificate. With TLS connection 
> Filezilla:
> 
>     Status:    Server sent passive reply with unroutable address. Using 
> server address instead.
> 
> I can login, problem must be related to data on port tcp/20. Can someone help 
> me and tell me what I'm doing wrong or what I'm missing. Probably something 
> with a helper.
> 
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to