Re: IIS5 Passive FTP Networking problem (long)

From: Alun Jones [MSFT] (alunj_at_online.microsoft.com)
Date: 12/14/04 

Date: Tue, 14 Dec 2004 08:17:39 -0800

"WinGuy" <no_spam@nomail.bot> wrote in message
news:pjDvd.33831$zx1.26989@newssvr13.news.prodigy.com...
> I don't know if it's true or not, but a tech at Linksys said that version
> 3 firmware for the BEFSR41 router correctly translates the LAN address
> into its own WAN address in the packet that IIS sends, and the ARP is thus
> avoided. But version 2 firmware can not be upgraded to version 3, so I can
> only use the very latest release of the version 2 firmware (which I do)
> from Linksys and it obviously does not do the needed IP address
> translation.
>
> This means I have to do a "fix" by somehow configuring IIS FTP Service to
> spoof the WAN address of its router in its response to a request to use
> passive mode, or do away with the router entirely (and the hardware based
> security benefits that it provides) and give IIS a real (instead of
> spoofed) public WAN address.

Or... take the old router you have now, and update it to technology from the
last century.

I've used a BEFSR41 myself for FTP server use, and for several years I've
had the ability to run an FTP server behind it without changing the IP
address that the FTP server gives out. The NAT changes the PASV response in
every case.

It is the NAT's responsibility to make this change, and it would be a less
secure alternative to make this change happen in the FTP server.

Why? Because a NAT is really a NAPT - it translates network addresses _and_
ports. The FTP server could in theory be modified to issue a spoofed IP
address (although that would then prevent testing the FTP server's PASV
connections from inside the NAT), but it would have to assume that the ports
on the outside were mapped one-to-one to the ports on the inside. This is
not always the case. If the FTP server were to spoof the IP address without
this knowledge of the port mappings, your transfers would go astray - either
files would go to the wrong person, or they would not transfer at all.

Linksys' web site suggests that the firmware for both BEFSR41 Ver3 and the
BEFSR41 are being actively maintained - the former had its last update on
April 1, 2004, and the latter had its last update on August 3, 2004.
Download the most recent firmware and install it, to see if this problem has
been fixed. If it has not, ask when the firmware will be fixed. If it will
not be fixed, you might consider returning the router and buying one that
has the features you need.

Alun.
~~~~ 

-- 
Software Design Engineer, Internet Information Server (FTP)
This posting is provided "AS IS" with no warranties, and confers no rights.

Relevant Pages

  • Re: Remote Access After SP1
    ... The linksys should be forwarding to 192.168.1.1 not 192.168.1.10 ... > WAN NIC: 192.168.0.1 ... > Port forwarding setup for the appropriate ports ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Access After SP1
    ... I have the WAN NIC connected directly to the Linksys. ... The SBS with two nics... ... Port forwarding setup for the appropriate ports ...
    (microsoft.public.windows.server.sbs)
  • Re: Remote Access After SP1
    ... My bad on the typing for the WAN NIC forwarding. ... The Linksys is forwarding ... >> Port forwarding setup for the appropriate ports ...
    (microsoft.public.windows.server.sbs)
  • Re: IIS 5.1 Passive-Mode FTP Behind Linksys Router
    ... Passive mode should just require ports 20 and 21 open on the Linksys. ... "Setting up an FTP server behind the Router" ...
    (microsoft.public.inetserver.iis.ftp)
  • Re: PASV FTP problems
    ... > I had a similar problem setting up my FTP server which is behind a Linksys ... > of those ports to the server. ... Linksys router to try. ...
    (RedHat)