[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange masq/port-forwarding problem

> I am redirecting TCP ports "ftp" and "ftp-data" of my firewall host to an 

If you're just naïvely redirecting them, you have missed an important
aspect of the ftp protocol - namely that unless you're using passive
(PASV) mode, data connections are made by the client telling the
server what address to connect to, in the ftp command stream (PORT).
In order to redirect ftp, you must rewrite the command stream as well,
or force the client to use PASV mode (which most web browsers do, by

This is why the ip_masq support includes a specific ip_masq_ftp
module; you can't do it "blind".

As for connections hanging with large data -- if you're filtering
ICMP, you may be filtering out ICMP_FRAG_NEEDED, which is important if
you have weird MTU's and anyone is doing Path MTU discovery (and just
about everyone is these days.)  If that isn't it, well, learn to use
tcpdump and see what *is* happenning with one of those connections...
if you have RFC 793 up in one window and the tcpdump output in the
other, you can probably figure it out.

			_Mark_ <eichin@thok.org>
			The Herd of Kittens
			Debian Package Maintainer

Reply to: