From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: netfilter@lists.netfilter.org
Subject: Re: Passive FTP sees remote's _internal_ IP!!??
Date: Mon, 27 Nov 2006 22:26:18 +0100 [thread overview]
Message-ID: <456B57FA.5020000@plouf.fr.eu.org> (raw)
In-Reply-To: <20061127184454.0BD73DB@brinstar.nerim.net>
Hello,
Maxime Ducharme a écrit :
> This happens when the remote server has a bad
> NAT configuration for FTP.
I fully agree, the problem seems to be on the server side.
> Maybe SonicWALL is able to "fix" this itself, I dont
> know this product very well.
If it does so, I'd be happy to know how.
> some suggestions :
>
> 1. Fix NAT for FTP on remote firewall
>
> 2. Configure remote server to explicitly send
> external IP for passive connections (most of FTP
> software allows to configure this)
>
> 3. Configure your FTP client to use active mode.
> If server is running on another port than 21,
> you must tell ip_nat_ftp to "listen" for FTP
> traffic on this port. Someone on this list can
> tell us how ? (I dont remember how)
$ modprobe ip_conntrack_ftp ports=21,alternate_port
$ modprobe ip_nat_ftp ports=21,alternate_port
Both commands are needed because AFAIK, ip_nat_ftp loads automatically
ip_conntrack_ftp if not already loaded but does not pass the port list
to it. Duh.
3b. Use extended passive mode (EPSV) if the client, the remote server
and their firewall/NATs support it, because an EPSV reply does not
contains the server address.
[Read on]
> -----Message d'origine-----
> De : netfilter-bounces@lists.netfilter.org
> [mailto:netfilter-bounces@lists.netfilter.org] De la part de gypsy
> Envoyé : 27 novembre, 2006 10:33
> À : netfilter@lists.netfilter.org
> Objet : Passive FTP sees remote's _internal_ IP!!??
>
> We don't think this is a netfilter problem.
I agree, at least not on the client side.
> The kernel should tell the
> remote end that it can't use the "nonroutable" IP - shouldn't it?
No, the kernel is not supposed to do this. All the Netfilter FTP NAT
helper module can do is translate "internal" addresses. However the
wrong PASV reply comes from the outside.
>>>When the default GW is set to the linux box (192.168.223.254) and
>>>passive FTP to a remote server is initiated, the FTP fails after
>>>connection because the internal IP of the remote machine (192.168.1.11)
>>>is seen rather than its external IP. This problem occurs only when
>>>passive FTP is used.
Does this happen with any FTP server or only a specific one ?
next parent reply other threads:[~2006-11-27 21:26 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20061127184454.0BD73DB@brinstar.nerim.net>
2006-11-27 21:26 ` Pascal Hambourg [this message]
2006-11-28 4:46 ` Passive FTP sees remote's _internal_ IP!!?? gypsy
2006-11-28 18:09 ` Maxime Ducharme
2006-11-28 22:36 ` Pascal Hambourg
2006-11-28 9:14 ` gypsy
2006-11-27 15:32 gypsy
2006-11-27 15:37 ` David Sims
2006-11-27 18:39 ` Maxime Ducharme
-- strict thread matches above, loose matches on Subject: below --
2006-11-26 9:01 gypsy
2006-11-26 20:18 ` William Lima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=456B57FA.5020000@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.