vsftpd: SSL/NAT prob

[kls1]

Hi all,

I installed a vsftpd server on a debian (from the .deb source). The server is behind a NAT enabled cisco router with a dialer interface - no fixed ip.

from within the LAN there's no problem authenticating and listing dirs when using SSL. From outside however it's a no go - the client hangs when entering passive mode. But as soon as I disable SSL encryption I can connect from outside. (In any case the SSL certificates are accepted though)

Messing around with port forwarding (e.g. all ports to server) and explicitly specifying passive mode options in the vsftpd.conf file doesn't help.

What exactly is the relation between passive mode and data encryption over NAT?

Maybe a copy of my present .conf file is useful:

listen=YES
anonymous_enable=NO
local_enable=YES
dirmessage_enable=YES
chroot_local_user=YES
ls_recurse_enable=YES
secure_chroot_dir=/var/run/vsftpd
pam_service_name=vsftpd
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES (tried with "no" too)
ssl_sslv3=YES (tried with "no" too)
rsa_cert_file=/usr/local/ssl/certs/vsftpd.pem
#pasv_enable=YES
#pasv_min_port=40000
#pasv_max_port=50000

Thanks for the read,

Nicolas

[dowland]

Here's what I think is going on. In order for NAT to work, the firewall has to inspect the contents of incoming TCP packets. By implementing TLS encryption, you prevent this and I think this screws up ip_conntrack_ftp or it's equivalent.

I haven't yet figured out a workaround for this, but I've only been playing with vsftp/TLS for two days.

Marcus