[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange masq/port-forwarding problem

On Sun, 21 Feb 1999 13:35:05 -0500, Mark W. Eichin wrote:

>> I am redirecting TCP ports "ftp" and "ftp-data" of my firewall host to an 
>If you're just na vely redirecting them, you have missed an important
>aspect of the ftp protocol - namely that unless you're using passive
>(PASV) mode, data connections are made by the client telling the
>server what address to connect to, in the ftp command stream (PORT).

You're right. I'm quite familiar with the FTP protocol specs (because I 
implemented a nearly-FTP-compliant server in Java a while ago,) I forgot about 
the fact that the direction is "reversed" in "active" mode (compared to PASV, 
as you mentioned.)

>In order to redirect ftp, you must rewrite the command stream as well,
>or force the client to use PASV mode (which most web browsers do, by

Do you happen to know whether anyone has already done that? I absolutely NEED 
that feature. The NAT I currently use under NT properly handles incoming FTP 
connections (Nevod's NAT1000.)

>As for connections hanging with large data -- if you're filtering
>ICMP, you may be filtering out ICMP_FRAG_NEEDED, which is important if

No. As I said I disabled ALL DENY rules and set the default policy to ACCEPT -- 
to no avail.

>you have weird MTU's and anyone is doing Path MTU discovery (and just
>about everyone is these days.)  If that isn't it, well, learn to use
>tcpdump and see what *is* happenning with one of those connections...

Sh*t. I've always wanted to learn about it, but it needs quite a lot of 
practice (and time!) to understand tcpdump output, and much time is what I 
don't have at the moment. :-(

Thanks for your comments.


Ralf G. R. Bergs * Welkenrather Str. 100/102 * 52074 Aachen * Germany
+49-241-876892, +49-241-877776 (fax) * rabe@rwth-aachen.de  * PGP ok!

Reply to: