On Wed, 29 Jan 2003, at 11:04am, [EMAIL PROTECTED] wrote: > I have just put my IIS5.0 server behind a firewall and I have given it a > NATed IP address.
Does your firewall support FTP protocol inspection (AKA "related connection tracking")? If not, you will have problems. FTP requires two TCP connections: One is the "control channel", the other is the "data channel". The control channel is always initiated from an ephemeral port on the client to port 21 on the server. The way the data channel works depends on the "mode" the FTP client is using. In "active mode", the *client* listens on an ephemeral port, and gives that port number to the server. The server initiates a TCP connection from port 20 to the client, and uses that to send data. In "passive mode", the *server* listens on an ephemeral port, and gives that port number to the client. The client makes the TCP connection to the server, and that is used for the data channel. Because the port numbers used for the data channel are ephemeral, they cannot be handled using simple port forwarding and packet filtering rules. Stateful inspection of the FTP command channel is required. > Problem is that if someone is trying to ftp to the ftp site on that IIS > server THROUGH THEIR OWN FIREWALL with a NATed IP address they run into > problems. Most likely, they are using a cheap firewall that doesn't do any kind of protocol inspection. So, they *must* use passive mode. Your firewall has to be able handle that. What kind of firewall are you using? -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
