Re: Why do I need a software firewall?

david20_at_alpha2.mdx.ac.uk
Date: 10/14/05


Date: Fri, 14 Oct 2005 10:27:04 +0000 (UTC)

In article <E4qdnbbtgcQaWdPeRVn-hg@comcast.com>, "Alun Jones" <alun@texis.invalid> writes:
>"Leythos" <void@nowhere.lan> wrote in message
>news:kEw3f.105095$lI5.40473@tornado.ohiordc.rr.com...
>> In article <-eGdnTC-H62FG9PeRVn-rw@comcast.com>, alun@texis.invalid
>> says...
>>> "Leythos" <void@nowhere.lan> wrote in message
>>> news:MPG.1dacbea55d89a2ee98a1c1@news-server.columbus.rr.com...
>>> > You really are a dufus - I never said that NAT didn't impact Active
>>> > FTP,
>>> > not once. I said that NAT doesn't break FTP, never saying anything
>>> > about
>>> > Active or Passive - knowing the anyone that understands the slightest
>>> > about FTP and NAT would already know that you need to use Passive FTP,
>>> > which works fine, so FTP isn't broken at all.
>>>
>>> Hmm...
>>>
>>> Depending on who's behind the NAT, that is. Passive FTP doesn't work if
>>> it's the server that's behind the NAT. You have to tell the NAT which
>>> ports
>>> to open.
>>>
>>> Now, some NATs work fine for passive FTP, because they scan the FTP
>>> control
>>> channel for PASV commands and the associated responses, and they change
>>> the
>>> IP address and port described therein. They should also open up the port
>>> mapping from the external port to the internal one. These NATs generally
>>> do
>>> the same for active FTP transfers, allowing them to work, too.
>>>
>>> There are two usual stipulations on this, however:
>>> 1. The FTP control traffic must be on port 21. I've heard rumours that
>>> there are NAT routers that can be configured to look for FTP on other
>>> ports,
>>> but never run across such a beast.
>>> 2. The FTP control traffic must be unencrypted.
>>
>> I have 9 FTP servers, some are behind a NAT from a Linksys/D-Link,
>> others behind a FireBox II others behind a FireBox x1000. They all seem
>> to work for us.
>
FTP is so widely used that I'd think that most NAT devices nowadays would come
with builtin FTP Application Level Gateways to overcome these problems.
See

http://www.zvon.org/tmRFC/RFC2101/Output/chapter4.html

and

http://www.zvon.org/tmRFC/RFC3022/Output/chapter4.html
section 4.4

David Webb
Security team leader
CCSS
Middlesex University

>Uh... okay. Does that support or contradict what I said above?
>
>Or are you just offering up your size for a measuring contest? :-)
>
>Alun.
>~~~~
>
>



Relevant Pages

  • Re: Big problem with permission
    ... I'm looking into the Watchguard Firebox to see what we can do. ... is having 'additional' protection for ftp traffic... ... User from the Internet will access the FTp server via a Watchguard ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: FTP over SSL
    ... SFTP and FTP over SSL are different things ... Security team leader ... Middlesex University ...
    (comp.os.vms)