Subject: Re: ipnat ftp proxy fix yet? (ever?)
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: roberto <roberto@redix.it>
List: tech-net
Date: 10/29/2004 10:03:06
> On Thu, Oct 28, 2004 at 04:35:03PM +0200, roberto wrote:
>> Manuel Bouyer:
>> > I'm not sure passive ftp would work though NAT without the proxy.
>> > At last the source address, and possibly the source port, need to be
>> > translasted in the PORT command.
>> >
>>
>> (actually I did not follow the entire discussion...)
>> but according to me passive ftp should work with only ipnat:
>>
>> client -----> NAT box ------> FTP server
>>
>> All the connection originate from the client (using the passive mode)
>> and
>> this is sufficient to establish the FTP-CTRL and FTP-DATA connection: in
>> the passive mode is the server that publicize its IP and port number not
>> the client behind the NAT.
>>
>> Tell me if I'm forgot something.
>
> The client's IP appear in the PORT command, so that the server can
> bind the data socket to accept this IP only.
>
As I'm curious on this topic, I've red the following:
- S. Bellovin Firewall-Friendly FTP RFC: 1579;
- M. Allman FTP Extensions for IPv6 and NATs RFC: 2428
They suggest to use passive FTP with firewalls (PASV or EPSV) as a client
firewall allow outgoing connection, and in case of NAT it does not have to
change any address (in the ftp data exchange) as should do with the PORT
command.
If do you have any docs about the feature you said (... server can
bind the data socket to accept this IP only ...), please let me know.
Roberto