[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPNAT and ftp.

To: Kjell Wooding <kwooding@codetalker.com>
Subject: Re: IPNAT and ftp.
From: Matthew Patton <matthew.patton@ra.pae.osd.mil>
Date: Tue, 05 Jan 1999 18:12:03 -0500
CC: misc@openbsd.org
References: <4.1.19990105152009.036bfc20@mail.codetalker.com>

> True. FTP negociates the data channel in the data stream (in both active and passive
> modes).
> There is no way for NAT to accomodate this without inspection of the FTP data stream.
> This means
> that a proxy is required to perform NAT and FTP through a firewall (or some very lax
> firewall rules).

So is

pass out quick on untrusted proto tcp from client port > 1023 to server
port > 1023 flags S keep state

too lax? FWIW, the newer revs of IP Filter v3.2.10 and successive betas
have a better ftp-proxy module. I haven't addressed this release yet to
incorporate it into our tree. I take it then that I should step on it?

References:
- Re: IPNAT and ftp.
  - From: Kjell Wooding <kwooding@codetalker.com>

Prev by Date: Re: arla compile problems
Next by Date: Re: sound card trouble
Prev by thread: Re: IPNAT and ftp.
Next by thread: sound card trouble
Index(es):
- Date
- Thread