FTP over SSL fails with VPN-1/FireWall-1 FTP over SSL is specified in RFC-2228.
Firewalls do not normally pass FTP connections encrypted with SSL commonly referred to as FTP over SSL. The reason for this is simple: A firewall cannot inspect the FTP control connection because it is encrypted. VPN-1/FireWall-1 therefore cannot predict the FTP ports used by the FTP over SSL session. Some people have been able to get this to work by simply applying
FTPAndNewlines, assuming the ports used are the standard TCP port 21 for control and 20 for data.
Some variants of FTP over SSL operate over different ports using port 990 for control and port 989 for data. In this case, you simply need to create the following TCP services:
- ftp-ssl-control: port 990
- ftp-ssl-data: port number ">1024" (greater than 1024), source port 989
In other words, ftp-ssl-data accepts connections with a destination port of any TCP high port provided the source port is 989. The rulebase to permit access looks like the following:
Source Destination Service Action ftp-client ftp-server ftp-ssl-control accept ftp-server ftp-client ftp-ssl-data accept
Note that in no case will FTP over SSL be supported with HIDE Network Address Translation (NAT). This is because
FireWall?-1 is unable to see the "control" portion of the connection and cannot "munge" the ports to work with HIDE NAT. It can be made to work with Static NAT.
--
PhoneBoy - 16 Jan 2004
FAQForm FAQs.Class:
ServicesFAQs FAQs.OS: FAQs.Version: