[Firehol-support] firehol and ftps

Phil Whineray phil at sanewall.org
Mon Sep 22 15:15:20 BST 2014

Hi Tomas

I tried to approve your post but it does not seem to have been
forwarded to the list members or archive so I guess I messed up.

The problem with any kind of secure FTP is that the conntrack module
used by FireHOL (and most likely all other linux firewalls these days)
cannot do its work. This is because conntrack reads the content of the
control connection looking for ports which will be connected to on the
client (in active FTP) or on the server (in passive FTP) so as to mark
the traffic as related. As soon as the connection is encrypted this
information cannot be determined and the data connection just looks
like a random connection which most firewalls will deny.

Back before the advent of the conntrack module, people used rules
permitting various combinations of high-numbered ports that would
allow active and/or passive ftp. You could try looking into this but
it may involve configuring the FTP clients or servers to limit the
port ranges to a sensible range. The situation may become impossible
if you use NAT at the same time.


---------- Forwarded message ----------
From: Cyscon <tomwolf at cyscon.de>
To: firehol-support at lists.firehol.org
Date: Mon, 22 Sep 2014 11:02:39 +0200
Subject: firehol and ftps
I have to configure firehol to allow FTPES - FTP via explicit TLS/SSL.
How can I do that?

I have
server ftp accept
and ftp works fine but ftpes does not.
If I stop firehol ftpes works…

Thank you in advance.


More information about the Firehol-support mailing list