[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

no NAT, ftp-proxy, & passive FTP

To: misc@openbsd.org
Subject: no NAT, ftp-proxy, & passive FTP
From: Chris Wage <cwage@quietlife.net>
Date: Wed, 10 Sep 2003 15:52:48 -0500
Content-Disposition: inline
User-Agent: Mutt/1.3.28i

Environment:

OpenBSD 3.3 doing firewalling, but no NAT. Redirecting port 21 to
ftp-proxy as normal with:
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

Active FTP works great as expected. Passive FTP, however, to certain FTP
servers (a la ftp.openbsd.org) do not:

ftp> dir
227 Entering Passive Mode (129,128,5,191,167,89)
425 Your data and control connections come from different places!

The reason should be clear: the control connection comes from the
firewall running ftp-proxy. Subsequent requests for PASV data will come
from the original client. This is not a problem in a NAT environment
because all traffic appears to be coming from the same place.

Am I missing anything? Is there anything I can do to resolve this, or is
ftp-proxy + passive + no NAT just not something that works? It's not a
huge deal, because active FTP will always work, however some browsers
are hardcoded to use passive.

I thought I could nat the passive requests, thinking they are always
sourced on ftp-data, but they are not.

Any suggestions?

--Chris

-- 
Chris Wage
chris@quietlife.net
http://chris.quietlife.net/

Follow-Ups:
- Re: no NAT, ftp-proxy, & passive FTP
  - From: "Peter H. Coffin" <hellsop@ninehells.com>

Prev by Date: Re: openbsd3.4
Next by Date: Re: Expected 3.3 > 3.4 conversion
Prev by thread: cryptographic file systems (was: Re: Erase Files)
Next by thread: Re: no NAT, ftp-proxy, & passive FTP
Index(es):
- Date
- Thread