Barry Spindler on Wed, 2 Aug 2000 10:49:53 -0400 (EDT)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] IP Masq'ing Logic Check


Yep, that's correct. There is an IPMasq module (ip_masq_ftp) that makes
normal FTP transfers work in this sitution (or should at least work).
This is one of a few IPMasq modules that come with the kernel and sit in
/lib/modules/<kernel_ver>/ipv4 to help with protocols that make connections
like this.

	--Barry


On Tue, Aug 01, 2000 at 12:04:10PM -0400, Michael W. Ryan wrote:
> Could someone familiar with IP Masq'ing issues confirm my conclusion here.
> Thanks.
> 
> Given the following arrangement:
> 
>     FTP Server---Internet---Firewall---Private Subnet---FTP Client
> 
> If the FTP Client is in a private subnet (i.e. 192.168.1.0), it cannot
> perform normal mode FTP data transfers with the FTP Server on the
> Internet.  This is because normal mode FTP requires the FTP Server to make
> a connection from port 20 (ftp-data) to an unprivledge port on the FTP
> Client, and the FTP Server sees the connection as coming from the
> Firewall, not the FTP Client.
> 
> Passive mode FTP transfers would work, as it requires the FTP Client make
> a connection from an unprivledged port to an unprivledged port on the FTP
> Server.
> 
> In order to allow normal mode FTP data transfers from within the private
> subnet, an FTP proxy would need to be installed on the Firewall.
> 
> Michael W. Ryan, MCP, MCT     | OTAKON 2000
> mryan@netaxs.com              | Convention of Otaku Generation
> http://www.netaxs.com/~mryan/ | http://www.otakon.com/
> 
> No, I don't hear voices in my head;
> I'm the one that tells the voices in your head what to say.
> 
> 
> ______________________________________________________________________
> Philadelphia Linux Users Group       -       http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mail/listinfo/plug-announce
> General Discussion   -   http://lists.phillylinux.org/mail/listinfo/plug
> 
> 

-- 
To refuse praise is to seek praise twice.
------------------------------------------------------------------------
GPG Fingerprint: 5475 C984 D870 4ACD 9799  1B69 DFCE 17CB 8257 38C3
------------------------------------------------------------------------


______________________________________________________________________
Philadelphia Linux Users Group       -       http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion   -   http://lists.phillylinux.org/mail/listinfo/plug