- 论坛徽章:
- 0
|
说明一下我遇到的问题:
建了一台pureftpd 的服务器,监听端口绑定在4321,数据传输端口为4320,被动传输模式,TLS方式为2。
服务器前端有个防火墙,4321和4320端口已经打开,相关的证书已经生成好放到相应的位置。
对应pureftpd.conf的内容:
ForcePassiveIP SERVER_IP
PassivePortRange 4320 4320
Bind SERVER_IP,4321
TLS 2
进行测试,测试结果:
1)用普通的FTP主动和被动模式连接4321端口传输完全没有问题。
2)但是安全需要,我们需要在FileZilla客户端用被动的FTP over TLS (explicit encryption) 这种模式来建立连接,这种连接模式在测试中没有通过。
在客户端失败的结果是:
Status: Connecting to xberndftp.ext.nokia.com:4321 ...
Status: Connected with xberndftp.ext.nokia.com:4321, negotiating SSL connection...
Response: 220---------- Welcome to Pure-FTPd [TLS] ----------
Response: 220-<<
。。。。。。。。。。。。。。。。>>
Response: 220-Local time is now 10:53. Server port: 4321.
Response: 220-This is a private system - No anonymous login
Response: 220 You will be disconnected after 15 minutes of inactivity.
Command: AUTH TLS
Response: 234 AUTH TLS OK. 认证部分通过(说明4321端口连接成功)
Error: Disconnected from server 但是无法建立连接 (4320端口无法建立连接)
Error: Unable to connect!
我参阅了一下我pureftpd服务器的常见问题,其中有一个和我遇到的非常相像:
问题:My client is behind a stateful firewall doing applicative filtering (like IPTables with ip_conntrack_ftp or
ip_nat_ftp) . Connections to an SSL/TLS enabled server does't work. Authentication works, but I'm unable
to download files nor list directories.
答案:First, try to force your client to use the passive mode. In active mode, the server has to connect to the client
(or the NAT gateway) on a dynamic port that is negociated on the connection socket. But when SSL/TLS is
used, that connection socket is encrypted, therefore no man-in-the middle can see what ports will be used to
transfer data, including the firewall. There are some proposals to work around this problem, but neither
popular clients nor common firewalls are aware of these tricks. Therefore, use the passive mode or switch to
SSH.
我已经使用了FTP over TLS 被动模式连接方式。但是结果还是无法连接。
希望大家帮助我排除一下错误,非常感谢。 |
|
免费注册
发表于 2006-08-29 17:20
