Bill East on 12 Aug 2015 17:45:18 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: [PLUG] If not SFTP, how's about FTPS? |
Checkpoint really does not like ftp over ssl, speaking from experience. There is a doc on making it work at https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk39793&t=1439425646731 but it's chancy. Sftp or simply scp is going to make you happier.
On Tue, Aug 11, 2015 at 10:06 AM, Matt Mossholder <matt@mossholder.com> wrote:
> On Tue, Aug 11, 2015 at 9:57 AM, Michael Leone <turgon@mike-leone.com>
> wrote:
>>
>> Anyone? My firewall guy tells me that there are no rules blocking me
>> from doing this (not from my trusted zone into my DMZ, anyway). So
>> it's not a firewall block. Any ideas what might be causing this?
>>
>
> My guess is the firewall is blocking the ftp-data connections. FTPS works
> the same way as FTP (two channels, command and data). You've established
> that your command channel works by establishing a connection, but your FTP
> server will be making connections back to clients on dynamically allocated
> data ports to return the results of the commands. Unless you have defined a
> range of ports in your firewall for use by FTPS, you probably won't be able
> to receive the data back from the server.
>
> Most intelligent firewalls (these days) watch non-SSL FTP traffic and
> dynamically open the required ports. That obviously doesn't work with SSL.
No blocking of ports from trusted zone to DMZ (or back, from an
established connection). According to my guy, anyway. It's a
Checkpoint firewall. Nothing shows in it's logs, to show blocking of
traffic from DMZ to trusted zone.
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug