vsftpd: SSL/NAT prob
I installed a vsftpd server on a debian (from the .deb source). The server is behind a NAT enabled cisco router with a dialer interface - no fixed ip.
from within the LAN there's no problem authenticating and listing dirs when using SSL. From outside however it's a no go - the client hangs when entering passive mode. But as soon as I disable SSL encryption I can connect from outside. (In any case the SSL certificates are accepted though)
Messing around with port forwarding (e.g. all ports to server) and explicitly specifying passive mode options in the vsftpd.conf file doesn't help.
What exactly is the relation between passive mode and data encryption over NAT?
Maybe a copy of my present .conf file is useful:
ssl_sslv2=YES (tried with "no" too)
ssl_sslv3=YES (tried with "no" too)
Thanks for the read,
vsftpd /ssl /NAT problem
Here's what I think is going on. In order for NAT to work, the firewall has to inspect the contents of incoming TCP packets. By implementing TLS encryption, you prevent this and I think this screws up ip_conntrack_ftp or it's equivalent.
I haven't yet figured out a workaround for this, but I've only been playing with vsftp/TLS for two days.