Passive mode ftp does not work. all incoming ports bar ftp must be firewalled to these servers.
We do not have control over these servers and can not change them to support passive mode ftp.
Luke
> -----Original Message-----
> From: Jozsef Kadlecsik [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, May 17, 2001 5:48 PM
> To: Luke McKee
> Cc: 'Ramin Alidousti'; '[EMAIL PROTECTED]'; 'Tony Pang';
> '[EMAIL PROTECTED]'
> Subject: RE: FTP NAT/Conntrack problems
>
>
> On Thu, 17 May 2001, Luke McKee wrote:
>
> > Seeing the ^^^ source ip address is not specified in the
> PORT command, does
> > netfilter just assume it will be same one
> > as the endpoint of the outgoing ftp control connection.
> Assumptions are not
> > good :-( in our case and netfilter doesn't expect the incoming data
> > connection to come in from where it really does. In most
> cases on the
> > internet the assumption would be right, but with lots of
> load balencing
> > implementations of FTP out there with different ip
> addresses for incoming
> > and outgoing connections (not everybody wants to use big
> FreeBSD boxes like
> > cdrom.com) people may run into this problem with netfilter
> more often.
> >
> > FTP doesn't state the source IP of the data connection in a
> PORT command to
> > expect the incoming connection from, because normally a ftp
> client checks
> > only for the correct source port - not the 'correct' source
> IP as well. Does
> > netfilter differ from standard ftp clients and check the
> source IP matches
> > what it expects? (I'll guess yes for the rest of the email)
>
> The FTP conntrack module is for a firewall: it should be as
> conservative -
> without disrupting the allowed services - as possible, still
> retaining as
> much security restrictions as possible.
>
> Such load-balancing FTP services could only be supported at normal FTP
> data mode if the incoming source address for the data channel would be
> unspecified ("wildcard"): anyone from the whole internet could then
> connect to the FTP client at the given port.
>
> Why don't you simply use passive mode FTP??
>
> Regards,
> Jozsef
> -
> E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED]
> WWW-Home: http://www.kfki.hu/~kadlec
> Address : KFKI Research Institute for Particle and Nuclear Physics
> H-1525 Budapest 114, POB. 49, Hungary
>
