The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ftp-authssl Ports

Discussion in 'General Discussion' started by Mysteerie, Jan 14, 2005.

  1. Mysteerie

    Mysteerie Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    129
    Likes Received:
    0
    Trophy Points:
    16
    When I use ftp-authssl to connect through FTP. With my APF firewall off, it works properly, but with it on, it doens't display the folders.

    What ports are required (beside 21) to allow SSL FTP through APF? Thank you.

    I did a search and did find a few post, but the guy wasn't totally trustable, since I found a post saying those ports were wrong. So just posting a message in case anyone uses FTP SSL and what ports they have open. :)
     
  2. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    IIRC, you cannot use FTP over SSL with an SPI firewall such as APF because of a conflict between the use of ephemeral ports and SSL encryption of the control channel. It might work if you disable PASV mode in your FTP client.
     
  3. Mysteerie

    Mysteerie Well-Known Member

    Joined:
    Dec 29, 2003
    Messages:
    129
    Likes Received:
    0
    Trophy Points:
    16
    Doesn't work on Passive or Active mode. :(

    I kinda get what you are saying, except your use of the word "ephemeral ports". Do you mean that APF doesn't create a constant connection in order for SSL to work. Or do you mean that SSL uses random ports to connect, after the fact of port 20 and 21.
     
  4. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Well, it ought to work without PASV mode though I haven't played with it in a while. Yes, the reason that it won't work in non-passwive mode is because the control connection is moved from port 20 to an ephemeral port (i.e. > 1024) and because the session is encrypted the server doesn't know which port has been chosen - or something along those lines :)

    You should be able to find more information about it through Google searching for "ftp over ssl firewall", but may take a bit of digging. SFTP is a better solution, but does mean enabling SSH clients for access, though there are ways to only allow SFTP connections and not SSH connections for the users. For example:
    http://www.pizzashack.org/rssh/index.shtml
     
Loading...

Share This Page