Re: FTPD Help
From: Jed Clear (clear_at_alum.mit.edu)
Date: 09/11/03
- Next message: Kirk Strauser: "Re: Can Dump Write to a Remote Hard Disk?"
- Previous message: philo: "Re: BSD newbie ...modem question"
- In reply to: Joe Doupnik: "Re: FTPD Help"
- Next in thread: Joe Doupnik: "Re: FTPD Help"
- Reply: Joe Doupnik: "Re: FTPD Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 11 Sep 2003 01:23:40 GMT
Joe Doupnik wrote:
> -------------
> "Normal" mode for FTP is for the server (ftpd) to offer a port
> to the client, no matter which way data will flow. It does this by
> sending a PORT command detailing the IP number and TCP port number now
> open by the server.
> "Passive" mode for FTP is for the client to make the PORT offer
> instead. The server can use any local port it wishes to make the outward
> connection.
I think you have client and server reversed. The party initiating the
FTP control connection is the "client" or, more properly in FTP
parlance, user. In Active(normal) mode the server initiates the TCP data
connection to the client. PORT is used by the client to modify the
address and port that the server connects to.
In passive (PASV) mode the client asks the server for an address and
port to make the data connection to on the server. The server then
passively listens for a connection on that port. The TCP data
connection is then initiated to that server, usually by the client, but
it can be a third party server in active mode.
Check out section 3.2 of the RFC
ftp://ftp.rfc-editor.org/in-notes/rfc959.txt and refer to figures 1 and
2 of section 2.3.
[snip good stuff about pitfalls of NAT, and original FTP design]
OP, if you were using ipfw and natd on your "router", you could to look
at the natd -punch_fw option. A few tricks are: don't set your "router"
kern.securelevel above 2, make sure you generally allow new outbound TCP
connections in your ipfw rules, and set the -punch_fw basenumber to a
number higher than your divert rule. The rules get installed 100 apart
by default. If your divert rule is at 2000, then "-punch_fw 2010:16"
will work. Read the natd(8) section on punch_fw carefully before
tailoring those numbers to your requirements. This would let you do
both active and passive through the "router". Of course using port 2121
could break punch_fw.
Your "router" appears to be something else. A working understanding of
how the FTP protocol connections happen, and your "routers"
documentation should at least let you see what's possible. Many can't
deal with the problems Joe mentions. If you can't get your "router" to
sit up and beg properly; put it aside, dust off an old 486, install
FreeBSD and 2 NICs, and then use ipfw and natd.
I've been putting "router" in quotes because it is really the NAT and
firewall functionality that is giving you problems, and traditionally
that isn't a routers primary job.
HTH,
-Jed
- Next message: Kirk Strauser: "Re: Can Dump Write to a Remote Hard Disk?"
- Previous message: philo: "Re: BSD newbie ...modem question"
- In reply to: Joe Doupnik: "Re: FTPD Help"
- Next in thread: Joe Doupnik: "Re: FTPD Help"
- Reply: Joe Doupnik: "Re: FTPD Help"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
