Re: Why do I need a software firewall?

david20_at_alpha2.mdx.ac.uk
Date: 10/14/05


Date: Fri, 14 Oct 2005 10:27:04 +0000 (UTC)

In article <E4qdnbbtgcQaWdPeRVn-hg@comcast.com>, "Alun Jones" <alun@texis.invalid> writes:
>"Leythos" <void@nowhere.lan> wrote in message
>news:kEw3f.105095$lI5.40473@tornado.ohiordc.rr.com...
>> In article <-eGdnTC-H62FG9PeRVn-rw@comcast.com>, alun@texis.invalid
>> says...
>>> "Leythos" <void@nowhere.lan> wrote in message
>>> news:MPG.1dacbea55d89a2ee98a1c1@news-server.columbus.rr.com...
>>> > You really are a dufus - I never said that NAT didn't impact Active
>>> > FTP,
>>> > not once. I said that NAT doesn't break FTP, never saying anything
>>> > about
>>> > Active or Passive - knowing the anyone that understands the slightest
>>> > about FTP and NAT would already know that you need to use Passive FTP,
>>> > which works fine, so FTP isn't broken at all.
>>>
>>> Hmm...
>>>
>>> Depending on who's behind the NAT, that is. Passive FTP doesn't work if
>>> it's the server that's behind the NAT. You have to tell the NAT which
>>> ports
>>> to open.
>>>
>>> Now, some NATs work fine for passive FTP, because they scan the FTP
>>> control
>>> channel for PASV commands and the associated responses, and they change
>>> the
>>> IP address and port described therein. They should also open up the port
>>> mapping from the external port to the internal one. These NATs generally
>>> do
>>> the same for active FTP transfers, allowing them to work, too.
>>>
>>> There are two usual stipulations on this, however:
>>> 1. The FTP control traffic must be on port 21. I've heard rumours that
>>> there are NAT routers that can be configured to look for FTP on other
>>> ports,
>>> but never run across such a beast.
>>> 2. The FTP control traffic must be unencrypted.
>>
>> I have 9 FTP servers, some are behind a NAT from a Linksys/D-Link,
>> others behind a FireBox II others behind a FireBox x1000. They all seem
>> to work for us.
>
FTP is so widely used that I'd think that most NAT devices nowadays would come
with builtin FTP Application Level Gateways to overcome these problems.
See

http://www.zvon.org/tmRFC/RFC2101/Output/chapter4.html

and

http://www.zvon.org/tmRFC/RFC3022/Output/chapter4.html
section 4.4

David Webb
Security team leader
CCSS
Middlesex University

>Uh... okay. Does that support or contradict what I said above?
>
>Or are you just offering up your size for a measuring contest? :-)
>
>Alun.
>~~~~
>
>