February 11th, 2005

thinking, perplexed

Secure FTP backwards through a firewall

Hoping the lazyweb can come up with a reasonably elegant solution to a securing-FTP problem I've run into.

I have a setup like so:

   [ftp-server]---[broker]---|firewall|====[ftp-client]
   ^^^^^^^^^^^^^^^^^^^^^^^^^^          ^^^^^^^^^^^^^^^^
            intranet                        internet
I need to establish an FTP session from the ftp client to the ftp server. ---- is intranet, ==== is internet. broker is a machine under my control. firewall will allow any outgoing connection and will not allow any incoming connection. The FTP control and data channel must not travel over the Internet plaintext, but plaintext from broker to ftp-server is acceptable.

Using FTP is part of the specification. ftp-server will only accept an FTP connection.

What can I do to make this work? In any circumstance other than FTP, I'd ssh from broker to ftp-client and set up a reverse (-R) tunnel from ftp-client back to ftp-server, but that won't work with FTP because of the data channel.

The less-than-elegant solutions I've come up with are:

  1. SSH out from broker to ftp-client, forwarding a port on ftp-client back to port 22 on broker. On ftp-client, ssh back through that tunnel back to broker with 'ssh -D', which sets up a SOCKS proxy tunnel in the right direction (beginning at ftp-client and connecting out from broker) Then use tsocks to SOCKS-ify the ftp client, and connect in passive mode "directly" to ftp-server from ftp-client, letting tsocks handle setting up the data channel's tunnels as necessary.
  2. Build a ppp-over-ssh VPN between broker and ftp-client, initiated from broker.
Anything obvious I'm missing?
  • Current Music
    The Kleptones -- From Detroit To JA