On Sun, 21 Feb 1999 13:35:05 -0500, Mark W. Eichin wrote: >> I am redirecting TCP ports "ftp" and "ftp-data" of my firewall host to an > >If you're just na vely redirecting them, you have missed an important >aspect of the ftp protocol - namely that unless you're using passive >(PASV) mode, data connections are made by the client telling the >server what address to connect to, in the ftp command stream (PORT).
You're right. I'm quite familiar with the FTP protocol specs (because I implemented a nearly-FTP-compliant server in Java a while ago,) I forgot about the fact that the direction is "reversed" in "active" mode (compared to PASV, as you mentioned.) >In order to redirect ftp, you must rewrite the command stream as well, >or force the client to use PASV mode (which most web browsers do, by >default.) Do you happen to know whether anyone has already done that? I absolutely NEED that feature. The NAT I currently use under NT properly handles incoming FTP connections (Nevod's NAT1000.) >As for connections hanging with large data -- if you're filtering >ICMP, you may be filtering out ICMP_FRAG_NEEDED, which is important if No. As I said I disabled ALL DENY rules and set the default policy to ACCEPT -- to no avail. >you have weird MTU's and anyone is doing Path MTU discovery (and just >about everyone is these days.) If that isn't it, well, learn to use >tcpdump and see what *is* happenning with one of those connections... Sh*t. I've always wanted to learn about it, but it needs quite a lot of practice (and time!) to understand tcpdump output, and much time is what I don't have at the moment. :-( Thanks for your comments. Ralf -- Ralf G. R. Bergs * Welkenrather Str. 100/102 * 52074 Aachen * Germany +49-241-876892, +49-241-877776 (fax) * [EMAIL PROTECTED] * PGP ok!
