Re: Forward ftp request another server

From: Seth Arnold (sarnold@wirex.com)
Date: 07/13/02


Date: Fri, 12 Jul 2002 21:22:35 -0700
From: Seth Arnold <sarnold@wirex.com>
To: SB CH <chulmin2@hotmail.com>


On Fri, Jul 12, 2002 at 09:59:04AM +0000, SB CH wrote:
> I would like to forward ftp request to other server's other port to improve
> the security. Is it possible?

Quite possibly. You know there are two ports involved with ftp; what you
may not know is that there are two different methods of using the two
ports. One method is known as active, the other is known as passive.

In active mode, the client provides an ip/port pair for the server to
connect to. With more and more clients behind firewalls, or worse yet,
NAT boxes, clients are more typically unable to use active mode.

In passive mode, the server provides an ip/port for the client to
connect to. This normally works, since the ftp server has a real IP
address, and its firewall ruleset will allow connections to the port
range used for the data connections.

If you are going to use NAT to redirect ftp, then your clients will
either need to use active mode (not possible for many clients) or your
ftp will need to work very closely with the NAT firewall. The only
system that I know that can do this is ftp-proxy in OpenBSD. It is
closely tied to the firewall, so porting it to Linux might be a fair
bit of work.

-- 
http://www.wirex.com/