ftp nat

If this isn't exactly what you wanted, please try our Search (there's a LOT of techy and non-techy stuff here about Linux, Unix, Mac OS X and just computers in general!):

From - Thu Jan  6 06:51:05 2000
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Message-ID: <38748198.9BE5A92A@aplawrence.com> 
Date: Thu, 06 Jan 2000 06:50:48 -0500
From: Tony Lawrence <tony@aplawrence.com>
Organization: A.P. Lawrence
X-Mailer: Mozilla 4.7 [en] (X11; I; SCO_SV 3.2 i386)
X-Accept-Language: en
MIME-Version: 1.0
Newsgroups: comp.unix.sco.misc
Subject: Re: NAT question.  Passive inbound FTP to masq'd server.
References: <MPG.12dae8b485258111989698@news.swbell.net> <3872848B.276A5106@aplawrence.com> <MPG.12dc692bd74eddd2989699@news.swbell.net> <38732A14.B5191486@aplawrence.com> <MPG.12dd97048f62873c98969b@news.swbell.net> 
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Matthew Schalit wrote:

> An ftp client on a masq'd private LAN, downloading from the net,
> is very different from an ftp server on a masq'd private LAN,
> being contacted by a remote client on the net in PASV mode.

Well, yeah, that's an entirely different thing.

If I understand you correctly, what you want is this:

 ------         ---------              ++++++++++++++
|       |      |          |            +            +
| Box A |  --> | NAT Srv  |   --->     + Internet   +
|       |  <-- |          |   <---     +            +
 -------        ----------             ++++++++++++++

And you want Box A to be an FTP server so that someone from
the Internet can access it.

So you'd have some IP address that would come tripping down
to the NAT server, and it would pass it to Box A, and keep
track of the ftp sessions so that everything went where it's
supposed to.  

That's a firewall, not NAT.  And the problem isn't really
that it's passive ftp or normal ftp- it's that Box A is
invisible.

A quick simple explanation of ftp/passive ftp  for those not
familiar with it:

Ftp is a little different than most protocols.  When you
connect to an ftp server, you connect on what's called the
"Control" port.  When you want to transfer a file, the ftp
server opens a data connection back to you.   There's two
connections: one that you originated, and one that the
server opened for data. And there's the problem for most
firewalls: they block that data connection because it comes
from outside.

Passive ftp works by the client (that's you) telling the
server to use Passive mode-the client opens it's own data
connection, and the server uses that.  The server is being
"passive"- it isn't actively opening connections.  For your
typical firewall, that's much easier- the connection
originates inside the firewall, therefore it's OK (though
the firewall does usually have to be told that this is OK
ahead of time).

>From the strict NAT side of things- where Box A is the
client trying to access an ftp site on the Internet, the
regular ftp session is the bitchier of the two- the passive
mode is easy, but for normal ftp the NAT has to know who
that data connection that suddenly comes knocking belongs
to.  But, if it has properly mangled eveything and kept
track of who's doing what, it can do the magic, and it does.

But for Box A to be the server, that's upside down.  Now
it's the client that comes knocking, and something has to
pass it to Box A.  That's so whether the client wants the
server to be passive or not.  Actually, for that, I'd think
it would be easier if it were NOT passsive, because with
passive we have two outside visitors to contend with, but
otherwise only half originates outside.  But I'm no firewall
expert.

Again, I haven't even begun to look at the rest of the
ipfilter package to see what, if anything, it could do like
this, but I don't think ipnat by itself is going to help
you.

Looking into ipfilter was something I really wanted to do
this month, but it's turning out to be so busy, I don't know
if I can get to it :-(


-- 
Tony Lawrence (tony@aplawrence.com)
SCO articles, help, book reviews, tests, 
job listings and more : http://www.ApLawrence.com

Jump to Comments

Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.

Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.

We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.