'Re: [Proftpd-user] MasqueradeAddress'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       proftpd-users
Subject:    Re: [Proftpd-user] MasqueradeAddress
From:       "Dempsey, James" <james.dempsey () misys ! com>
Date:       2009-02-09 18:02:29
Message-ID: BB6E43FE0B451743A5F425DFFA9012DF02E8470B () mailnycor01 ! misys ! global ! ad
[Download RAW message or body]



> On 09.02.09 11:08, Dempsey, James wrote:
> > On a related note...  Our Cisco gear will drop outbound PORT
information
> > if I set MasqueradeAddress to our external IP address.
> 
> do you mean, it will drop it, so no PORT reply will come to the client?

Yes.  When I snoop the network traffic, I see the packet leaving the FTP
Server but it never makes it through the firewall unless the IP address
in the PORT command is the actual DMZ IP assigned to the FTP server.

> 
> > I can leave it unset and the Cisco gear will correct the PORT
information
> > as it passes the firewall,
> 
> In such case there's no need to use MasqueradeAddress.

If I set MasqueradeAddress, TLS connections will work fine and
unencrypted control channel connections fail because cisco drops the
PORT packet.

If I unset MasqueradeAddress, TLS connections will fail because the PORT
command will contain a non-Internet routable IP (192.168....), but
unencrypted control channel connections will be fine because cisco fixes
the PORT info.



> 
> > but Cisco device can't do this for the TLS encrypted PORT
> > information.
> 
> That's what TLS is for. However there is CCC command in FTP protocol
for
> this, it should disable encryption this case.
> 

CCC certainly sounds like it will solve the problem, but I would like to
avoid having to educate users and inform them that control data is
unencrypted etc.


> > Is there a way to disable MasqueradeAddress for
> > unencrypted sessions, but enable it for encrypted ones?
> 
> does FTPS work if you enable MasqueradeAddress?

Yes, FTPS works if I enable MasqueradeAddress, but then clear control
channel connections fail due to cisco dropping PORT packets.


> 
> > Alternately, does anyone have a useful reference for understanding
how to
> > prevent Cisco devices from inspecting my FTP packets?  I have some
basic
> > Cisco understanding, but I am not a guru by any stretch of the
> > imagination.

> afaik the meaning of MasqueradeAddress is for 1:1 NAT, where the port
is not
> changed. If it is, you need CCC.

Yes, this is a direct IP to IP translation (no port address
translation).

I can solve the problem without CCC by running two virtual servers on
different ports, one with MasqueradeAddress / TLS and one without
MasqueradeAddress / unencrypted.  I'd like to avoid using two ports, but
perhaps I can't be that picky.

For the most part, I am fine with CCC, but I don't like that filenames
are transmitted in cleartext.

Thanks, 
James




"Misys" is the trade name for Misys plc (registered in England and Wales). \
Registration Number: 01360027. Registered office: One Kingdom Street, London W2 6BL, \
United Kingdom. For a list of Misys group operating companies please go to \
http://www.misys.com/corp/About_Us/misys_operating_companies.html. This email and any \
attachments have been scanned for known viruses using multiple scanners. This email \
message is intended for the named recipient only. It may be privileged and/or \
confidential. If you are not the named recipient of this email please notify us \
immediately and do not copy it or use it for any purpose, nor disclose its contents \
to any other person. This email does not constitute the commencement of legal \
relations between you and Misys plc. Please refer to the executed contract between \
you and the relevant member of the Misys group for the identity of the contracting \
party with which you are dealing. 

------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
ProFTPD Users List   <proftpd-users@proftpd.org>
Unsubscribe problems?
http://www.proftpd.org/list-unsub.html


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic