Firewalls

Question

I had edtftpd server working with a UNIX server. The UNIX server was moved behind a firewall and it has not worked since. I am getting these errors in the basic log file: error setting write fd IP_TOS: Invalid Argument
error setting read fd IP_TOS: Invalid Argument
error setting write fd TCP_NOPUSH: Protocoll not available.
error setting read fd TCP_NOPUSH: Protocol not available.

I recently set up another site and gettint these errors in the Extended Log file:

wsip 70.184.227.27 ks.kscox.net UNKNOWN iliff [19/Jul/2005:00:50:52 -0500] "CWD /" 250-
wsip 70.184.227.27 ks.kscox.net UNKNOWN iliff [19/Jul/2005:00:50:52 -0500] "PORT 192,168,1,1,16,215" 500 -
wsip 70.184.227.27 ks.kscox.net UNKNOWN iliff [19/Jul/2005:00:50:52 -0500] "QUIT" 221
wsip 70.184.227.27 ks.kscox.net UNKNOWN SYSTEM[19/Jul/2005:00:50:52 -0500] "USER iliff" 331-

I do not if this is because of their firewall. I would like to know the basics in how to setup firewall transversal for the client.

Thanks in advance
John Quinlan

Answer 1

I'm unclear what you mean by having edtftpd working with a Unix server - can you elaborate?

I had edtftpd server working with a UNIX server

Answer 2

The UNIX server is the client using Microlite Backup Edge to connect using FTPS and backing up the UNIX server remotely on the edtFTP Windows 2003 server. Everything was fine till the customer put a firewall in between the UNIX server and edtFTP server. I am not sure what to tell him to do on the firewall so our backups will work again.

Answer 3

The short answer is that FTPS and firewalls (and devices performing NAT) do not interact well. The control connection happens on a well-known port, and has no issues; it is the data connection that poses problems for FTP-aware firewalls.

In a non-FTPS session, the firewall can inspect the FTP server's responses on the control connection to a client's PASV or PORT command, and thus know which on which ports/addresses the data connection will be established.

In an FTPS session, though, those control connection messages are encrypted (that is the point of using FTPS, right?), and so the FTP-aware firewall cannot peek. Hence, it cannot know which on which ports the data connection will be established. For firewalls that are configured to always allow a certain range of ports (such as might be configured using the PassivePorts directive), FTPS should function without issue.

edtFTPD is based on proFTPD, so you can use PassivePorts as described here

http://www.proftpd.org/docs/directives/ ... Ports.html

and get the firewall configured to permit these ports.

The client must be transferring in passive mode.

The UNIX server is the client using Microlite Backup Edge to connect using FTPS and backing up the UNIX server remotely on the edtFTP Windows 2003 server. Everything was fine till the customer put a firewall in between the UNIX server and edtFTP server. I am not sure what to tell him to do on the firewall so our backups will work again.