Changelog Development Documentation Download libcurl Mailing Lists News
cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: FTP/SSL issue; Help!

From: Max <maxshop01_at_gmail.com>
Date: Mon, 6 Apr 2009 22:44:10 -0400

I have one other question... is it necessary to open ALL "high" ports
(1023 and above) or can I specify a range? Thanks

On Mon, Apr 6, 2009 at 1:51 PM, Max <maxshop01_at_gmail.com> wrote:
> Thanks Marcus. I got confirmation from the Admin that there is a
> firewall indeed.
>
> We are not having any issues for regular passive FTP (i.e. non-SSL)
> connections to other FTP sites. I believe that this is because the
> command channel is not encrypted and the firewall can determine
> accordingly. Right?
>
> As for the FTP with SSL connection issue, is opening the "high" TCP
> ports >1023 the only solution?
>
> Thanks again.
>
> On Sun, Apr 5, 2009 at 8:32 AM, Markus Moeller <huaraz_at_moeller.plus.com> wrote:
>>
>>> "Max" <maxshop01_at_gmail.com> wrote in message
>>> news:a4e55e0c0904041508x7a5a63e4yfdd1ac6cd7433e6e_at_mail.gmail.com...
>>> So are these all issues firewall related? Is the firewall blocking
>>> curl from connecting? Sorry for the newbie question. I'll double-check
>>> with our Admin to make sure that there is no firewall.
>>
>>
>> There are two issues with "stateful" firewalls:
>>
>> Firstly if address translation is done, the firewall usally analyses the ftp
>> command connection and looks for keywords like (E)PASV and (E)PORT and then
>> changes the IP-address with the translated IP-address. With an encrypted
>> command channel the firewall can not do that anymore. curl has the
>> --ftp-skip-pasv-ip option to deal with this issue for pasv connections.
>>
>> Secondly the firewall usually blocks all connections, but if ftp is allowed
>> the firewall looks for keywords like (E)PASV and (E)PORT in the command
>> connection and then opens dynamically the required. Again with an encrypted
>> command channel the firewall can not do that and you need the configure the
>> firewall so that all connection on all high ports >1023 are allowed from
>> your client for pasv ftp.
>>
>> Regards
>> Markus
>>
>> -------------------------------------------------------------------
>> List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
>> FAQ:        http://curl.haxx.se/docs/faq.html
>> Etiquette:  http://curl.haxx.se/mail/etiquette.html
>>
>
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-04-07