On Tue, Mar 26, 2002 at 09:33:59PM -0800, Tony Rall wrote: > Passive ftp is generally more likely to work through any firewall than > active ftp - it is generally the better method - including with Pix > firewalls.
This is true for the client site, for the server side it is the other way around, of course. > "fixup protocol ftp" has nothing to do with passive ftp. It only causes > the Pix to look for "port" commands, which are only used in active ftp. It > is needed so that the Pix can temporarily open the inbound port for the > data connection. But passive ftp doesn't use an inbound port and requires > no special rule in the Pix to work. At least Linux Conntrack/Masquerading/Nat modules check also for the PASV Response in FTP Control Connections to link the timeout of the NATed control connection to the Timeout of the Data Channel. Otherwise the Control channel frequently is terinated by the firewall after a few hours, while the data channel is happyly transfering data. Not sure if Pix is doing that, too, but it better should. > Nor would there be a problem with address or port translation - as there > is no address or port specified in the ftp "pasv" command. (There is an > address and port specified in the ftp server's response to a pasv command, > but these don't get translated (nor do they need to be). On the Server side they need. Also if you limit outgoing connections you also need to monitor the PASV response to open up an outgoing connection. Not sure if PIX is doing that. Greetings Bernd _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
