On Sat, Feb 16, 2008 at 12:38:02PM +0100, Dariusz Pietrzak wrote:
> > In our case, turns out our firewall was doing Layer 7 type stuff, and
> > having recognized the initial dialog as FTP it basically didn't know
> > what to do with the first TLS packet and saw it as an "RFC non
> > compliant PORT command" and just threw it away.
> >
> > We configured the firewall to not try and be so smart (to allow RFC
> > violations in this case, but disabling the layer 7 stuff completely
> > likely would have worked as well).

> You know that CCC command was added to both clients and ftp servers
> years ago to deal with this 'smart firewall' issue?
> By unencrypting 'PASV' commands, it enables statefull firewalls with ftp
> support to know whis ports should be opened.


Yup, I thought CCC might be a solution, but not all clients seem to
support it yet. This way it "just works". Anyways, thought it might
be worth a mention in the FAQ.

(It seems that WS_FTP supports it, but not FileZilla which is another
commonly used client).

Ray

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
ProFTPD Users List
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html