I have to setup a ftp server and would like to enable TLS.
I have to configure the firewall as well.
Is there a different standard port for TLS (for ftp its 21)?
Maybe its a pair of ports similarly to the standard ftp: 21 + 22
One port for data and one port for protocol negotiations?
Is there a difference if I use "implicit" or "explicit" TLS mode ?
Marcus
In comp.security.firewalls Marcus Mender
> I have to setup a ftp server and would like to enable TLS.
>
> I have to configure the firewall as well.
>
> Is there a different standard port for TLS (for ftp its 21)?
>
> Maybe its a pair of ports similarly to the standard ftp: 21 + 22
> One port for data and one port for protocol negotiations?
Port 22/tcp is SSH, not FTP. FTP uses port 21/tcp inbound and either
port 20/tcp outbound (active mode) or an arbitrary port > 1023/tcp
inbound (passive mode).
Anyway, since you want encryption and have to traverse a firewall it
would probably be a better approach to dump FTP and use SSH instead.
cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
On Sun, 14 Jan 2007 13:35:18 +0000, Marcus Mender wrote:
> Is there a different standard port for TLS (for ftp its 21)?
No.
> Maybe its a pair of ports similarly to the standard ftp: 21 + 22
Active mode FTP data connections normally run over one port below that of
the control connection (which indeed is defined, by IANA, to be 21; making
the standard data port 20.)
> One port for data and one port for protocol negotiations?
Yes.
And in active mode you know the data port beforehand. But since it is
the server connecting, (from port 20) to a random port >1024 on the
client, and you're encripting the negotiation; clients wount know which
port to open and very probably disallow this...
In passive mode you don't really know which port the server is gonna use,
however you can define a 'port range' it should pick from, and let that
through the firewall allong with port 21.
http://www.ford-hutchinson.com/~fh-1-pfh/draft-fordh-ftp-ssl -firewall-07.txt
> Is there a difference if I use "implicit" or "explicit" TLS mode ?
Yes. Either you or implicitly rely on the server to encript the data
connection aswell, or explicitly tell it to, or not to, do so.
The latter uses differend ports (990 control, and 989 active-mode data
usually), however this methond this is besically deprecated.
--
-Menno.
On Sun, 14 Jan 2007 20:15:42 +0100, Menno Duursma wrote:
> On Sun, 14 Jan 2007 13:35:18 +0000, Marcus Mender wrote:
[ FTPS stuff ]
>> Is there a difference if I use "implicit" or "explicit" TLS mode ?
>
> Yes. Either you or implicitly rely on the server to encript the data
> connection aswell, or explicitly tell it to, or not to, do so.
>
> The latter uses differend ports (990 control, and 989 active-mode data
s/latter/former/
( However this is that 'later', and more widely supported, method
conforming to RFC 4217 )
> usually), however this methond this is besically deprecated.
--
-Menno.
Marcus Mender wrote:
> I have to setup a ftp server and would like to enable TLS.
>
> I have to configure the firewall as well.
>
> Is there a different standard port for TLS (for ftp its 21)?
>
> Maybe its a pair of ports similarly to the standard ftp: 21 + 22
> One port for data and one port for protocol negotiations?
>
> Is there a difference if I use "implicit" or "explicit" TLS mode ?
ftps-data 989/tcp ftp protocol, data, over TLS/SSL
ftps-data 989/udp ftp protocol, data, over TLS/SSL
ftps 990/tcp ftp protocol, control, over TLS/SSL
ftps 990/udp ftp protocol, control, over TLS/SSL
versus the usual
ftp-data 20/tcp File Transfer [Default Data]
ftp-data 20/udp File Transfer [Default Data]
ftp 21/tcp File Transfer [Control]
ftp 21/udp File Transfer [Control]
http://www.iana.org/assignments/port-numbers
On Sun, 14 Jan 2007 13:35:18 +0000 Marcus Mender wrote:
> I have to setup a ftp server and would like to enable TLS.
>
> I have to configure the firewall as well.
>
> Is there a different standard port for TLS (for ftp its 21)?
No
> Maybe its a pair of ports similarly to the standard ftp: 21 + 22
Ports are 20 and 21 if you are speaking about active FTP [1].
> One port for data and one port for protocol negotiations?
Yes
> Is there a difference if I use "implicit" or "explicit" TLS mode ?
Yes, see http://en.wikipedia.org/wiki/FTPS:
"Implicit FTPS is an older, but still widely implemented style in which
the client connects to a different port (usually 990), and an SSL
handshake is performed before any FTP commands are sent."
> Marcus
Basically the same decisions regarding firewalling (active or/and passive
FTP) applies to the situation when using TLS secured FTP. But in addition,
if your firewall is doing NAT as well there is a rather big chance that
FTP connections with TLS security will fail.
http://www.ford-hutchinson.com/~fh-1-pfh/ftps-ext.html
Alexander
[1] http://slacksite.com/other/ftp.html
--
Alexander Dalloz | Löhne, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 10:36:33 up 1 day, 12:03, load average: 0.22, 0.24, 0.19
I'd suggest starting by scanning your services file for TLS and seeing
all of the ports reserved for it. Try an internet search on TLS and also
look at the RFCs for TLS. (RFC's are available on the internet too.)
Phil Sherman
Marcus Mender wrote:
> I have to setup a ftp server and would like to enable TLS.
>
> I have to configure the firewall as well.
>
> Is there a different standard port for TLS (for ftp its 21)?
>
> Maybe its a pair of ports similarly to the standard ftp: 21 + 22
> One port for data and one port for protocol negotiations?
>
> Is there a difference if I use "implicit" or "explicit" TLS mode ?
>
> Marcus
>