cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: FTP/SSL issue; Help!

From: Markus Moeller <huaraz_at_moeller.plus.com>
Date: Tue, 7 Apr 2009 07:01:28 +0100

>"Max" <maxshop01_at_gmail.com> wrote in message
>news:a4e55e0c0904061944o6237f1a2l7aef1044400b99ae_at_mail.gmail.com...
>I have one other question... is it necessary to open ALL "high" ports
>(1023 and above) or can I specify a range? Thanks

For pasv that depends on the server capabilities. In pasv mode the server
listens to a port and the tells the client to connect to it. Some servers
hav the option to restrict the ports they can listen on.

On Mon, Apr 6, 2009 at 1:51 PM, Max <maxshop01_at_gmail.com> wrote:
> Thanks Marcus. I got confirmation from the Admin that there is a
> firewall indeed.
>
> We are not having any issues for regular passive FTP (i.e. non-SSL)
> connections to other FTP sites. I believe that this is because the
> command channel is not encrypted and the firewall can determine
> accordingly. Right?
>
> As for the FTP with SSL connection issue, is opening the "high" TCP
> ports >1023 the only solution?
>
> Thanks again.
>
> On Sun, Apr 5, 2009 at 8:32 AM, Markus Moeller <huaraz_at_moeller.plus.com>
> wrote:
>>
>>> "Max" <maxshop01_at_gmail.com> wrote in message
>>> news:a4e55e0c0904041508x7a5a63e4yfdd1ac6cd7433e6e_at_mail.gmail.com...
>>> So are these all issues firewall related? Is the firewall blocking
>>> curl from connecting? Sorry for the newbie question. I'll double-check
>>> with our Admin to make sure that there is no firewall.
>>
>>
>> There are two issues with "stateful" firewalls:
>>
>> Firstly if address translation is done, the firewall usally analyses the
>> ftp
>> command connection and looks for keywords like (E)PASV and (E)PORT and
>> then
>> changes the IP-address with the translated IP-address. With an encrypted
>> command channel the firewall can not do that anymore. curl has the
>> --ftp-skip-pasv-ip option to deal with this issue for pasv connections.
>>
>> Secondly the firewall usually blocks all connections, but if ftp is
>> allowed
>> the firewall looks for keywords like (E)PASV and (E)PORT in the command
>> connection and then opens dynamically the required. Again with an
>> encrypted
>> command channel the firewall can not do that and you need the configure
>> the
>> firewall so that all connection on all high ports >1023 are allowed from
>> your client for pasv ftp.
>>
>> Regards
>> Markus
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
>> FAQ: http://curl.haxx.se/docs/faq.html
>> Etiquette: http://curl.haxx.se/mail/etiquette.html
>>
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html

Regards
Markus

-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-04-07