At 11:26 PM 1/29/2006, you wrote:
Neil Schneider wrote:
In this case the culprit isn't NAT, it's FTP. It's a weird protocol
and it causes no end of grief, not only because of firewalls, but even
routing will cause problems with FTP. So don't blame NAT for the
problems with FTP, blame FTP.
I disagree. There is nothing inherently wrong with FTP. FTP opens a
command channel which exchanges commands with the host and when it
is time to transfer a file it opens another channel on a negotiated
ip/port. Many protocols work this way including the relatively
recent (compared to FTP) SIP protocol. It is a perfectly valid way
to handle things. NAT breaks the end to end nature of the internet
and causes the protocols involved to have to be much more
complicated and handle everything within one TCP session.
I disagree with *you* (agree with Neil). This negotiation of a new
high port to transfer the data on is dumb because the firewall,
unless it is an application proxy, has no way to know what specific
ports to allow the returning data on. So, to allow it without an
application proxy, you have to basically allow all the ephemeral
ports that may be used. Most of your more popular commercial
firewalls have ftp application proxy's built in and don't trouble the
admin with the complexities, but with PF, IPtables, etc, we must
trouble ourselves with the dumb behavior of FTP. I am a n00b on VOIP,
so if you say SIP is dumb too... err, like FTP, then I gotta say that
it's another reason to use IAX.... But I am way outta my league here.
I am a total VOIP n00b.
Now, if FTP needs to use multiple ports, then lets use the same damn
ones each time so we can filter what we don't need.
...and I decided to bottom post (another dumb idea), just this once. :o)
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
