cancel
Showing results for 
Search instead for 
Did you mean: 

Using FTP over SSL/TLS

Good Day

I have a MFE v7.0.1.02 that has an FTP packet filter rule using packet filter services on port 21, 990, and ephemeral port range of 54000-60000.

The rule is

src - External customer

dst - Alias IP

Redirect - internal IP

The customer establishes a connection via FTP and can run commands but when they try to PUT a file the session is terminated, see log below

08/08/2013 11:07:58 OPEN 192.x.x.x

08/08/2013 11:07:58 220-FTPD1 IBM FTP CS V1R12 at workstation.domain.ca, 11:07:09 on 2013-08-08.

08/08/2013 11:07:58 220 Connection will close if idle for more than 15 minutes.

08/08/2013 11:07:58 AUTH TLS

08/08/2013 11:07:58 234 Security environment established - ready for negotiation

08/08/2013 11:07:59 PBSZ 0

08/08/2013 11:07:59 200 Protection buffer size accepted

08/08/2013 11:07:59 PROT P

08/08/2013 11:07:59 200 Data connection protection set to private

08/08/2013 11:07:59 USER user01

08/08/2013 11:07:59 331 Send password please.

08/08/2013 11:08:05 PASS *******

08/08/2013 11:08:05 230 USER01 is logged on.  Working directory is "USER01.".

08/08/2013 11:08:05 SYST

08/08/2013 11:08:05 215 MVS is the operating system of this server. FTP Server is running on z/OS.

08/08/2013 11:08:05 PWD

08/08/2013 11:08:05 257 "'USER01.'" is working directory.

08/08/2013 11:08:05 Assuming MVS FTP server

08/08/2013 11:08:05 TYPE A

08/08/2013 11:08:05 200 Representation type is Ascii NonPrint

08/08/2013 11:08:05 PASV

08/08/2013 11:08:05 227 Entering Passive Mode (192,x.x.x,223,198)

08/08/2013 11:08:19 quote site recfm=fb lrecl=150 blksize=27900 secondary=50 tracks

08/08/2013 11:08:19 LIST

08/08/2013 11:08:19 550 No data sets found.

08/08/2013 11:08:19 site recfm=fb lrecl=150 blksize=27900 secondary=50 tracks

08/08/2013 11:08:19 200 SITE command was accepted

08/08/2013 11:08:24 ascii

08/08/2013 11:08:35 lcd C:\

08/08/2013 11:08:37 LCD C:\Users

08/08/2013 11:08:39 LCD C:\Users\Administrator

08/08/2013 11:08:40 LCD C:\Users\Administrator\Desktop

08/08/2013 11:08:54 PUT test1.txt 'My.file.(+1)'

08/08/2013 11:08:54 PASV

08/08/2013 11:08:54 227 Entering Passive Mode (192,x.x.x,223,199)

08/08/2013 11:09:15 Winsock error: 10060. A connection can not be established.

Has anyone seen this kind of error before.

Thanks

Dana

4 Replies
mtuma
Level 13
Report Inappropriate Content
Message 2 of 5

Re: Using FTP over SSL/TLS

Hello,

This can be a bit tricky as there are multiple types of secure ftp, this article may help:

Firewall Enterprise: Can I allow SFTP or FTPS through the FTP proxy? (KB63310)

What it sounds like is that the data connection is being blocked by the firewall, but it is hard to tell. What does the firewall audit say?

-Matt

Re: Using FTP over SSL/TLS

I'll look at it and see what is there, and thanks for the KB.

sliedl
Level 14
Report Inappropriate Content
Message 4 of 5

Re: Using FTP over SSL/TLS

You should immediately upgrade your firewall to 70103H07.  There are hundreds of fixes in 70103 up to H07.

You cannot use the FTP proxy or FTP packet-filter service to pass FTPS.  FTPS is not simply SSL-encrypted FTP; it's a separate protocol and the FTP services will block it.  You can use a generic packet filter or generic proxy to pass these ports and that will work just fine.

Re: Using FTP over SSL/TLS

Well they can't just immediately upgrade, that to get a maintenance window plus it is a 24 hour operation...I agree, but they are using a TCP Packet filter which it is working, it is just failing when the user uses the PUT command, and it is using a redirect, I'm trying to duplicate the issue in my lab.