You guys are confusing Ruud. Bottom line … FTP is not encrypted.
Yes, you can use SFTP (aka FTP over SSH) but then pay attention to what you are doing … you’re creating access for ONE service, “SFTP”, thru your Firewall. What about all the other services (WWW? NFS? SAMBA? LDAP? And yes, Gopher?) Are you going to enable access for each one of those in your Firewall? That seems like a lot of work to create and maintain. A VPN tunnel is “ONE service” that creates an encrypted connection between two endpoints, “your originating device” and “the destination network” AND it enables other services (unencrypted services like FTP, or Gopher or whatever) to use this tunnel and benefit from the encryption the VPN provides. Said another way … your originating device can be “anywhere”, and after establishing a VPN connection to your destination network, your originating device IP becomes an IP on your VPN destination network. Said a 3ʳᵈ way … I have a network at my Home that I trust. When I go off to my coffee shop to work for a “change of scenery”, I open up a VPN connection to my Home network and now my device at the coffee shop claims an IP from my Home network. It’s as if I am physically located at my Home, except, I’m at the Coffee shop. Using this VPN, any services I use on this Home network, like FTP, or NFS or Samba are ENCRYPTED all the way home, then past the endpoint are happening unencrypted on a single network, my Home network. In fact, they NEED to be unencrypted at HOME, because that’s the way they work. You get it? You might be wondering “what’s the endpoint?” For a VPN there are TWO endpoints. Your ORIGINATING endpoint (or IP), which can be variable based on where you are physically when you initiate your VPN connection (coffee shop, mall, whatever) and your DESTINATION endpoint which is Always the same. It’s the IP destination for your VPN connection. (PRO TIP: I also use a non-standard port for my VPN, in the 40K+ range. So anybody who’s trying to snoop has a lot of ports to check) If you’ve never setup a VPN before these terms might be confusing. I know they were confusing for me. It took me a month to properly figure out how to setup my first VPN and explore the limits of this new functionality. I encourage you to check out WireGuard. Don’t use IPSec or OpenVPN. They suck! I can list many reasons WHY they suck. I hope this helps a little. Bill Sent from my iPhone > On Mar 16, 2022, at 11:34 AM, Ruud Baart <r.j.ba...@prompt.nl> wrote: > > > Hi, > > I can find quite a lot of documentation concerning a FTP server. But I don't > find the way to do it. > > My situation: > > Internet <--> Firewall <--> FTP server > > Firewall and FTP server are Debian 11 and I use the latest shorewall. > > The Firewall has three public IP addresses, FTP server had no public IP > address. Firewall and FTP server are connected to a private 172.23.10.0/24 > network. > > This setup is new but in fact a replica of the existing situation (I'm moving > to a new hosting party). In the existing situation and new situation all > works fine (Debian 10) as long as I don't use a certificate. This is the DNAT > rule I use: > > SECTION NEW > FTP(DNAT) wan1 lan1:$FTP_INT - - - $FTP_EXT > > where $FTP_INT and $FTP_EXT the internal and external IP addresses are of the > FTPserver. > > As said, works fine as long as I don't use a certificate. With TLS connection > Filezilla: > > Status: Server sent passive reply with unroutable address. Using > server address instead. > > I can login, problem must be related to data on port tcp/20. Can someone help > me and tell me what I'm doing wrong or what I'm missing. Probably something > with a helper. > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
