Juan Carlos Castro y Castro wrote:
> > > Hi. I noticed I have to load ip_masq_ftp in order to FTP to work from
> > > behind an IP masquerading box.
> >
> > Or you have to use passive (PASV) mode for FTP, which is preferable.
>
> Duh? What's the difference? And what *is* FTP passive mode by the way?
In both modes, the client connects to port 21 on the server to
establish the control channel. Whenever the client wants to send or
receive data (e.g. file contents or `ls' output), another connection
is established (the data channel).
In active mode, the client creates a listening (server) socket, and
sends a PORT command which contains the IP address and port number of
that socket. The server connects to this socket to create the new
connection.
This why you need an ip_masq_ftp.o module. The masq firewall scans the
control channel for PORT commands. When it sees one, it has to
add a masq entry for the specified address and port, and then rewrite
the PORT command accordingly.
Also, this will not work from behind a firewall which generally blocks
inbound connections.
In passive mode, the client sends a PASV command, the server creates a
new listening socket, and sends its IP address and port number back to
the client. The client then connects to this port to establish the
data channel.
As the IP address and port number don't need to be modified, and the
connection is established by the client, it works without any
additional support. It also works through firewalls.
For the Unix `ftp' program, passive mode is enabled by with the
`passive' command. Netscape and MSIE use passive mode automatically.
Windows FTP clients generally have a checkbox to enable passive mode.
The only disadvantage is that some old FTP servers don't support
passive mode. However, this is uncommon nowadays, as it means that
anyone behind a firewall can't connect to the server.
> > Some general rules:
> >
> > Protocols which send IP addresses or port numbers through the
> > connection may not work via masquerading unless there is a specific
> > module for them.
>
> "May"? IMHO if it *does* work there's something wrong with the protocol
> (redundancy in the best case).
It will work as long as it's the remote server sending data about its
sockets, and not the other way around.
> > Servers don't work behind firewalls; you have to make the firewall act
> > as a proxy server for them, using e.g. redir.
>
> Can't I use ipfwadm for that (saying for instance that incoming port 80
> requests go to 192.168.this.that)?
You need to have ipportfw support. See the details for
CONFIG_IP_MASQUERADE_IPPORTFW in Documentation/Configure.hlp.
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
