punch_fw and passive mode
Marcin Gryszkalis
mg at fork.pl
Wed Sep 3 17:37:16 PDT 2003
Hi
I have little problem with natd's punch_fw option
and passive mode ftp clients connecting
from inside of firewall (from behind nat).
It just does nothing for passive connection.
For active mode 2 rules are added and everything
works ok.
I looked at the sources and It seems to be
that way by design, there's such piece of code
in alias_ftp.c
-------------------------
if (ntohs(tc->th_dport) == FTP_CONTROL_PORT_NUMBER) {
/*
* When aliasing a client, check for the PORT/EPRT command.
*/
if (ParseFtpPortCommand(sptr, dlen))
ftp_message_type = FTP_PORT_COMMAND;
else if (ParseFtpEprtCommand(sptr, dlen))
ftp_message_type = FTP_EPRT_COMMAND;
} else {
/*
* When aliasing a server, check for the 227/229 reply.
*/
if (ParseFtp227Reply(sptr, dlen))
ftp_message_type = FTP_227_REPLY;
else if (ParseFtp229Reply(sptr, dlen)) {
ftp_message_type = FTP_229_REPLY;
true_addr.s_addr = pip->ip_src.s_addr;
}
}
-------------------------
what would be broken if we remove this client-server
if-else?
-------------------------
if (ParseFtpPortCommand(sptr, dlen))
ftp_message_type = FTP_PORT_COMMAND;
else if (ParseFtpEprtCommand(sptr, dlen))
ftp_message_type = FTP_EPRT_COMMAND;
else if (ParseFtp227Reply(sptr, dlen))
ftp_message_type = FTP_227_REPLY;
else if (ParseFtp229Reply(sptr, dlen)) {
ftp_message_type = FTP_229_REPLY;
true_addr.s_addr = pip->ip_src.s_addr;
}
-------------------------
regards
--
Marcin Gryszkalis
http://fork.pl
<><
More information about the freebsd-ipfw
mailing list