[4572] in linux-net channel archive
Re: IP Masquerading: No good for FTP?
daemon@ATHENA.MIT.EDU (Jos Vos)
Mon Sep 30 01:18:11 1996
From: Jos Vos <jos@xos.nl>
To: Karl.Oygard@kjeller.fou.telenor.no (Karl Anders Oygard)
Date: Sun, 29 Sep 1996 12:26:13 +0100 (MET)
Cc: linux-net@vger.rutgers.edu
In-Reply-To: <uju20fmpkr8.fsf@dina.nta.no> from "Karl Anders Oygard" at Sep 28, 96 08:17:15 pm
> | I was under the impression that FTP runs on top of TCP so that it should
> | work just fine... only things like "ping", ICMP, or anything on top of
> | UDP would be affected.
>
> TCP has little to do with FTP being so hard to masquerade.
>
> The problem with FTP is that when transferring data from the ftp server,
> the server opens a new TCP connection to your host. Now, that doesn't work
> well with masquerading, since the host that does the masquerading, doesn't
> know that this new connection has got anything to do with your FTP
> transfer. Thus, the masquerading host has to actually look at the
> negotiation between your ftp client and the ftp server, to see when and
> where this reverse connection is going to take place.
>
> Not sure if I got all that right, but this is all described in various RFC,
> but what I suggest you do is that you use passive ftp instead. Passive ftp
> uses one and only one connection during the whole session, and does not
> require a reverse connection.
No, you're not right. You described the problem, but you don't seem to
know that there is (since long) a solution: the ip_masq_ftp module, that
you need to load to make active FTP working.
The same (loading a special module) is needed for IRC and RealAdudio.
The modules are included in the standard kernel (2.0.x) and you need
to do "make modules" to generate them.
--
-- Jos Vos <jos@xos.nl>
-- X/OS Experts in Open Systems BV | Phone: +31 20 6938364
-- Amsterdam, The Netherlands | Fax: +31 20 6948204
