ftp-ssl conflict

Why not use SSH instead of FTPS? It's *much* less of a hassle, particularly when it comes to traversing firewalls.

cu

59cobalt

Are you running the ftp Server or the bank?

A firewall must not be able to inspect the packets, if it can read the traffic, it will be a successful man-in-the-middle attacker. ;)

PLease read:

which describes the problem quite well. At least the bank seems to use a fixed port range and uses passive mode for the ftp-data connection.

If the bank runs the ftp server you need to allow tcp connections to port

990 (ftps command) and to the port range they told you (passive mode, ftp- data). So you need rules looking somewhat like this:

from to proto port action

----------------------------------------------- you bank tcp 990 allow (stateful) you bank tcp 6540-6590 allow (stateful) you bank all all reject

Complete stateful handling of the data-connection will never work, because you have a ancrypted connection, so the firewall can't identify the destination port of the data-connection.

Well, as long as the bank allows only passive mode I see not a very big problem.

Well, it is tcp, therefore the direction of the connection is easy to determine. But as with standard ftp you two connections (ftp-command and ftp-data).

Wolfgang

The bank has the secure server. Robo-FTP is a client that allows just about any configuration to be used. Passive mode is used here. Thanks for the wikipedia link. When it came to the certificate I got from Verisign, I had to use OpenSSL to create files with different extensions to import/export.

We are using SSH with another bank. Thanks for the tip maybe we can use SSH where there's a choice.