Find the answer to your Linux question:
Results 1 to 2 of 2
Hi all, I installed a vsftpd server on a debian (from the .deb source). The server is behind a NAT enabled cisco router with a dialer interface - no fixed ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2005
    Posts
    1

    vsftpd: SSL/NAT prob


    Hi all,

    I installed a vsftpd server on a debian (from the .deb source). The server is behind a NAT enabled cisco router with a dialer interface - no fixed ip.

    from within the LAN there's no problem authenticating and listing dirs when using SSL. From outside however it's a no go - the client hangs when entering passive mode. But as soon as I disable SSL encryption I can connect from outside. (In any case the SSL certificates are accepted though)

    Messing around with port forwarding (e.g. all ports to server) and explicitly specifying passive mode options in the vsftpd.conf file doesn't help.

    What exactly is the relation between passive mode and data encryption over NAT?

    Maybe a copy of my present .conf file is useful:

    listen=YES
    anonymous_enable=NO
    local_enable=YES
    dirmessage_enable=YES
    chroot_local_user=YES
    ls_recurse_enable=YES
    secure_chroot_dir=/var/run/vsftpd
    pam_service_name=vsftpd
    ssl_enable=YES
    allow_anon_ssl=NO
    force_local_data_ssl=NO
    force_local_logins_ssl=NO
    ssl_tlsv1=YES
    ssl_sslv2=YES (tried with "no" too)
    ssl_sslv3=YES (tried with "no" too)
    rsa_cert_file=/usr/local/ssl/certs/vsftpd.pem
    #pasv_enable=YES
    #pasv_min_port=40000
    #pasv_max_port=50000

    Thanks for the read,

    Nicolas

  2. #2
    Just Joined!
    Join Date
    Feb 2006
    Location
    Nova Scotia
    Posts
    1

    vsftpd /ssl /NAT problem

    Here's what I think is going on. In order for NAT to work, the firewall has to inspect the contents of incoming TCP packets. By implementing TLS encryption, you prevent this and I think this screws up ip_conntrack_ftp or it's equivalent.

    I haven't yet figured out a workaround for this, but I've only been playing with vsftp/TLS for two days.

    Marcus

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •