Re: Why does passive FTP work behind router/firewall?
From: Duane Arnold (notme_at_notme.com)
Date: Thu, 19 Feb 2004 06:15:37 GMT
Georges Heinesch <email@example.com> wrote in news:firstname.lastname@example.org:
> ObiWan wrote:
>> Sorry for jumping here barefoot .. but afaict your router has SPI
>> this means that it is smart enough to recognize an FTP session
>> taking place and to open/accept all the needed connections
>> for the session to work, or ... that's what I strongly suspect :-)
> As far as I understood, SPI is a firewall feature, which prevents
> intrusion. Here some excerpt from the SMC manual:
> ... When the SPI (Stateful Packet Inspection) feature is turned on, all
> incoming packets will be blocked except for those types marked with a
> check in the Stateful Packet Inspection section.
> I don't think that SPI is analysing the packets with the aim to detect
> FTP outgoing packets with port information and PASV data transfer
> requests and to subsequently open relevant prots on the router.
> Is this not beyond the scope what SPI is menat for?
Stateful Packet Inspection is another means of stopping unsolicted
inbound traffic from coming down a port, along with some other things.
PASV and FTP port mapping is not one of the functions.