>> I have a nagging feeling that NAT address manipulation may only 
>> happenwith FTP clients, if it fails then people use passive mode.
> This issue happens in passive mode. When FTP client sends PASV 
> command it gets a response which contains private IP address...

Irrelevant, we are talking about two NAT routers here, the client is
almost certainly behind a NAT router using a private IP, and the server
is behind a second NAT router.  In an ideal world, both routers would be
changing the private IP to public IPs, and FTP would just work.  Using
passive mode gets around the client NAT router, but not the server NAT

My first example is the ICS FTP client behind a NAT router, accessing an
ICS FTP server a public IP.  The client sends a port command with a
private IP: 

00:08:07  Downloading File: /info-2010-09-07.txt 
00:08:07  > PORT 192,168,1,119,236,41
00:08:07  < 200 Port command successful.

but the server receives the command with the public IP and the same port,
because it's been translated by the client NAT router.  

00:08:06 angussha1 [] [288] < PORT 217,146,115,81,236,41
00:08:06 angussha1 [] [288] > 200 Port command successful.

I'm not using passive mode, because the NAT router is working properly
and manipulating the control channel.  Note it can not do this with SSL
due to encryption which is why passive mode is needed. 

My second example is accessing the ICS FTP server behind a NAT router,
from an ICS FTP client on the public server.  Non passive mode works
immediately, because there is no NAT. With the client in passive mode ,
it gets this response from the FTP server behind NAT with the public IP:

< 227 Entering Passive Mode (217,146,115,84,82,9).

but the server actually sent a private IP, which has been modified by the
NAT router:

12:46:30 angusadmin [] [11] < PASV 
12:46:30 angusadmin [] [11] > 227 Entering Passive Mode

So my original hypothesis that an FTP server behind a proper NAT router
will work without needing any special commands or manipulation in the
client or server is correct.  I'm using a Sonicwall TZ200 router and
firewall.  However I've not yet tested FTP behind two NAT routers. 

If anyone wants to test against the latest ICS FTP server either on the
public or NAT address, please email and I'll give you logins.  


To unsubscribe or change your settings for TWSocket mailing list
please goto http://lists.elists.org/cgi-bin/mailman/listinfo/twsocket
Visit our website at http://www.overbyte.be

Reply via email to