netbsd-help: Re: ah!! can't ftp!

Subject: Re: ah!! can't ftp!
To: None <netbsd-help@netbsd.org>
From: James K. Lowden <jklowden@schemamania.org>
List: netbsd-help
Date: 08/01/2001 20:57:44
On Tue, Jul 31, 2001 at 03:22:19AM -0700, adam johnson wrote:
> I'm running a NAT machine[C] for a few computers in my home.  It's worked 
> great except I've been unable to figure out how to allow ftp transfers from 
> my computer[A] to a friend's computer[B] which is behind a router[D].
>                              some other
>     MY computer  MY NATbox     stuff    Friend router  Friends machine
>         |            |          ___          |                |
>        [A]    -->   [C]  -->   | E |  -->   [D]      -->     [B]
>         |            |         |___|         |                |

Hi Adam, 

I'm a little unclear about the meaning of "worked great".  Do you mean
that A and B and can ping one another, telnet in and such, but cannot
ftp?  

If that's the case, I'm pretty sure it's doable, depending on box D. 
If you can't ftp from C to B (either direction), then D starts to
look like the bad boy.   Otherwise, I assume D is really just an ip
router and as such doesn't care about ftp. 

You may know more about this than I do.  I'm going to start at the
beginning (more or less) in the interest of clarity.  If you already
know all this stuff, maybe it'll help somebody else. :)

As the ipf doc says "FTP is one of those protocols that you just have
to sit back  and  ask  'What the heck were they thinking?'"  The
goofiness in ftp is that there are two channels -- a command channel
and a data channel -- on two different connections.  Depending on
the command issued by the client, when transferring a file the server
may either:

1.	open a data channel port on the client (active)
2.	wait for the client to open a data channel port on the server
(passive).  

Box C (and A and B, of course, permission-wise) has to be prepared
for at least one of those.  To further complicate matters, the
active/pasive terminology is none too helpful. 

Let's say A ftp's to B, and initiates an active transfer to download
a file from B. We'll skip the command channel setup.  

The ftp server B tries to open a port on A (whom he knows as C).  Box
C now has to handle an "active ftp client", an incoming connection
from B, and has to associate it with the ip address of A.  C will
employ the ipnat built-in ftp proxy to do that.  

When you get that working, you're 25% done:

Client Server type    status
   A      B   active  OK
   A      B   passive
   B      A   active
   B      A   passive
   
The good news is I've done two of these, where effectively A (home)
was the server and B (work) the client, and D was an ftp tis proxy. 
So, it's possible.  

HTH.  Fine diagram, BTW.  Ascii Art Hall of Fame, to be sure.  

Regards, 

--jkl