Date: Wed, 7 Nov 2001 11:53:04 +0100 (MET) From: Adriaan de Groot <adridg@cs.kun.nl> To: <rene@xs4all.nl> Cc: <questions@freebsd.org> Subject: Re: FTP through ipnat + ipf? Message-ID: <Pine.GSO.4.33.0111071144150.9474-100000@odin.cs.kun.nl> In-Reply-To: <20011107113915.A17081@xs4all.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 7 Nov 2001 rene@xs4all.nl wrote: > Now I'd like the windows box to be able to use FTP to the outside > world aswell as HTTP. All my FTP-sessions from windows fail with: > > C:\>ftp ftp.home.vim.org <snip> > ftp> ls > 200 PORT command successful. > > > > --and after this I get no more data whatsoever. I know this is a sort-of > gotcha, but forgot how to fix it... It *is* a gotcha. You've oppened a *command* connection with ftp to the ftp server, but all the data comes in through a different connection, called the data connection, which the ftp server makes to your machine. Your firewall is NATting the command connection, but sees the incoming data connection from the ftp server as a new connection, unrelated to the ftp session. There are two basic approaches possible: 1) Use the "passive" ftp mode, which mixes data into the command channel. This can make it harder to abort downloads though, and may have other drawbacks as well. 2) Use an ftp proxy on the firewall, which handles both command and data connections. 3) Use stateful packet filtering, which knows about the ftp data connection. Approach 1 is simple to use, but you do have to remember to switch the ftp session to passive. 2 and 3 are slightly harder to setup, and I can't find a reference right now. I was going to suggest reading the ipchains HOWTO for Linux, but http://www.rustcorp.com/linux/ipchains/HOWTO.html seems to have been taken over by teenage sluts ... [ade] -- +------------------------------+--------------------------------------------+ + Adriaan de Groot + Project: FRESCoS + + adridg@cs.kun.nl + Private: adridg@sci.kun.nl + + Kamer A6020 tel. 024 3652272 + http://www.cs.kun.nl/~adridg/frescos/ + To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.GSO.4.33.0111071144150.9474-100000>