>> I have a nagging feeling that NAT address manipulation may only >> happenwith FTP clients, if it fails then people use passive mode. > > This issue happens in passive mode. When FTP client sends PASV > command it gets a response which contains private IP address...
Irrelevant, we are talking about two NAT routers here, the client is almost certainly behind a NAT router using a private IP, and the server is behind a second NAT router. In an ideal world, both routers would be changing the private IP to public IPs, and FTP would just work. Using passive mode gets around the client NAT router, but not the server NAT router. My first example is the ICS FTP client behind a NAT router, accessing an ICS FTP server a public IP. The client sends a port command with a private IP: 00:08:07 Downloading File: /info-2010-09-07.txt 00:08:07 > PORT 192,168,1,119,236,41 00:08:07 < 200 Port command successful. but the server receives the command with the public IP and the same port, because it's been translated by the client NAT router. 00:08:06 angussha1 [217.146.115.81] [288] < PORT 217,146,115,81,236,41 00:08:06 angussha1 [217.146.115.81] [288] > 200 Port command successful. I'm not using passive mode, because the NAT router is working properly and manipulating the control channel. Note it can not do this with SSL due to encryption which is why passive mode is needed. My second example is accessing the ICS FTP server behind a NAT router, from an ICS FTP client on the public server. Non passive mode works immediately, because there is no NAT. With the client in passive mode , it gets this response from the FTP server behind NAT with the public IP: > PASV < 227 Entering Passive Mode (217,146,115,84,82,9). but the server actually sent a private IP, which has been modified by the NAT router: 12:46:30 angusadmin [217.146.102.131] [11] < PASV 12:46:30 angusadmin [217.146.102.131] [11] > 227 Entering Passive Mode (192,168,1,63,82,9). So my original hypothesis that an FTP server behind a proper NAT router will work without needing any special commands or manipulation in the client or server is correct. I'm using a Sonicwall TZ200 router and firewall. However I've not yet tested FTP behind two NAT routers. If anyone wants to test against the latest ICS FTP server either on the public or NAT address, please email and I'll give you logins. Angus -- To unsubscribe or change your settings for TWSocket mailing list please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket Visit our website at http://www.overbyte.be
