Matthew Dempsky wrote:
The IPsec flow is between the FTP client and the FTP server? Then by
design, any intermediary will not be able to eavesdrop or alter
packets in transit.
The IPSec flow is between the FTP Client and a LAN, and the packets are
then NAT'd to the internet and send to the FTP server. I want to put an
IPSEC link between the LAN and the FTP server, but I can't get this in
place yet. If I could get this link setup, then there is no issue with
the ftp, since there won't be any NAT taking place.
If you're okay with allowing arbitrary outgoing TCP connections and
can live with only allowing clients to use passive FTP (I believe the
default nowadays), then you shouldn't need ftp-proxy at all.
This is correct, passive ftp does work. Active doesn't work because the
client puts their IP address into the PORT command, and the server can't
connect back to this address. Unfortunately for me their custom
application cannot use passive ftp.
Cam
