tls

Rejy M Cyriac rcyriac at redhat.com
Sat Sep 7 06:38:01 UTC 2013 

On 09/07/2013 05:16 AM, Rick Stevens wrote:
> On 09/06/2013 03:43 PM, Patrick Dupre issued this missive:
>> Hello,
>>
>> I installed pure-ftpd on my machine to use the TLS protocle.
>> I followed the instructions given in:
>> http://www.howtoforge.com/how-to-configure-pureftpd-to-accept-tls-sessions-on-fedora-18
>>
>> TLS Â  Â  Â  Â  Â  Â  Â  Â  2
>>
>> but I still cannot ftp by using ftps (filezilla).
>>
>> Do I need to configure the firewall to open the port?
>> in firewall-config, I do not see any tls service.
>> However, in system-config-service, I do see 2 service pure-ftpd
>> one saying that it is running and one not running (The pure-ftpd
>> service will be started on demand by the xinetd service and ends when
>> it has nothing more to do.)
>> Is it normal?
> 
> Yes, you have to modify your firewall configuration. For FTPS, you must
> allow incoming connections to port TCP port 990. To permit passive FTPS
> data, then you must also allow incoming TCP connections for a range of
> ports that the server will use for passive data connections. You must
> also tell your FTP daemon which ports those are.

If you are using iptables for firewall, you could use the  'ip_nat_ftp'
and 'ip_conntrack_ftp' module if you are behind nat, or
'ip_conntrack_ftp' module alone otherwise, for having the firewall ports
dynamically opened on demand. You specify the module to be loaded in
'/etc/sysconfig/iptables-config'.

How do you do this with the new 'firewalld' beast ? Learning about that
beast is still on my 'To Do' list. :-)

- rejy (rmc)

> 
> I'm not sure how you tell pure-ftpd which ports it can use for passive
> connections, but in vsftpd they're specified by the "pasv_min_port" and
> "passv_max_port" variables in the vsftpd.conf file.
> 
> My server allow passive FTP/FTPS data over ports 20,000-20,100, so my
> firewall allows incoming connections for TCP ports 21, 990 and
> 20000 through 20100. My vsftpd.conf file contains:
> 
>     passv_min_port=20000
>     passv_max_port=20100
> 
> And away we go.
> ----------------------------------------------------------------------
> - Rick Stevens, Systems Engineer, AllDigital    ricks at alldigital.com -
> - AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
> -                                                                    -
> -          "How does that damned three seashell thing work?"         -
> -                           -- Sylvester Stallone, "Demolition Man"  -
> ----------------------------------------------------------------------

More information about the users mailing list