Re: PF binat and active FTP
From: Peter Matulis (mr_scary_at_mail.com)
Date: 02/25/04
- Next message: Marin: "Re: PF binat and active FTP"
- Previous message: Marin: "Re: PF binat and active FTP"
- In reply to: Marin: "Re: PF binat and active FTP"
- Next in thread: Marin: "Re: PF binat and active FTP"
- Reply: Marin: "Re: PF binat and active FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Tue, 24 Feb 2004 19:41:55 -0500
On Tue, 24 Feb 2004 23:36:00 +0100, Marin <REMOVE-marin-REMOVE@jware.hr>
wrote:
>Peter Matulis wrote:
>>>[FTP SERVER]------[OPENBSD]--------[LINUX NAT]--------[Win98]
>>>
>>> ^ ^
>>> | |
>>>External NET Internal NET
>>
>>
>> There must be something you're not telling us. Your setup is too strange.
>>
>
>Well, I know it's little bit strange, but: I am working for s small ISP
>and OpenBSD is (will be, now it's Novell Border manager)
>firewall/router/bandwidth shaper to all our customers who are on
>wireless WAN, and Linux NAT is private firewall/NAT box of one of our
>clients.
>
>External NET is Internet, network between OpenBSD and Linux NAT is
>Wireless WAN/LAN (my private network) and network between LINUX NAT and
>Win98 is customers private network.
>
>>
>>>On Linux I have loaded module ip_masq_ftp.
>>
>>
>> What does this module really do?
>>
>
>It enables active ftp over NAT (I think it's something like kernel
>ftp-proxy on linux)
Well having two adjacent ftp proxies is going to cause problems. Each one
expects to talk to the server/client directly, not to another proxy.
>>>
>>>active ftp from Win98 to FTP SERVER is broken (login is OK, but any form
>>>of data transfer results in closed connection error)
>>
>>
>> Are you sure that this is an active client?
>
>yes
>>>I still don't understand why we need ftp-proxy when binat is active and
>>>all incoming connection requests from Internet are redirected to
>>>internal host..
Just for a second, imagine you are the OpenBSD box. You receive a packet
out of the blue from some internet host requesting entrance. WTF??? You
drop the packet. According to my understanding, that's what is happening
here. There is no evidence of this communication in the NAT machine's
state table so it discards it as noise. It won't even show up in the logs.
I tried it. I have no idea what Novell does in such a situation.
Suggestion: tell your (business) client that he must use your box for
natting. If not, and even if you do get this FTP issue to work, it has the
potential of causing problems in the future.
- Next message: Marin: "Re: PF binat and active FTP"
- Previous message: Marin: "Re: PF binat and active FTP"
- In reply to: Marin: "Re: PF binat and active FTP"
- Next in thread: Marin: "Re: PF binat and active FTP"
- Reply: Marin: "Re: PF binat and active FTP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
