I encountered an issue with mod_tls running in ProFTPd on a system
behind a commercial firewall package. The system is NAT'd to a
different public IP.

I was using MasqueradeAs and also PassivePorts which should mitigate
most firewall issues. Things worked fine from a client on the same
subnet, but not from beyond the subnet.

The client would send an AUTH TLS command, and the server would send
back its acknowledgement. The client would then proceed to send its
first TLS encrypted packet, but this packet was never received by the
server. The server would think it needed to re-send the AUTH TLS
successful packet, and would do and upon receipt by the client it
immediately killed the connection with a RST.

In our case, turns out our firewall was doing Layer 7 type stuff, and
having recognized the initial dialog as FTP it basically didn't know
what to do with the first TLS packet and saw it as an "RFC non
compliant PORT command" and just threw it away.

We configured the firewall to not try and be so smart (to allow RFC
violations in this case, but disabling the layer 7 stuff completely
likely would have worked as well).

Anyways, this might be useful to others out there. Would be a good
addition to the FAQ IMO.


This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
ProFTPD Users List
Unsubscribe problems?