netfilter ip_conntrack_ftp and tls

Here I am attempting to connect to a server using lftp wondering why the firewall is blocking the incoming data connections, even though ip_conntrack_ftp has been working for years.

lftp supports tls, and so does the server I’m connecting to. This means the control connection is encrypted, so the netfilter ftp connection tracker can’t peek inside the packets to find out which ports to open up to allow the data connections. DUH. Ftp sucks.

Anyway, the only way I found to disable tls support in lftp is to add the following line to ~/.lftp/rc:

set ftp:ssl-allow false

Comments

anonymous says:

Thank you very much.
I had the same problem and now I can connect to my ftp server using lftp.

tbond says:

John,

You might try an updated version of lftp which supports the CCC command. This allows you to switch back to clear text FTP on the control channel after authenticating.

Leave a Reply to anonymous Cancel reply