what is my real address?

Matthew Seaman m.seaman at infracaninophile.co.uk
Thu Mar 4 00:05:16 PST 2004 

On Thu, Mar 04, 2004 at 08:33:32AM +0800, Robert Storey wrote:

> Matthew Seaman <m.seaman at infracaninophile.co.uk> wrote:

> > Running an FTP server through a NAT'ing gateway is not going to be a
> > pleasant experience, even if you were running the NAT gateway on a
> > FreeBSD box where natd's punch_fw functionality would make things a
> > great deal easier for you.  FTP is an ancient protocol not designed to
> > cope with the realities of the modern internet.
> 
> Is it just that I will suffer poor performance, or is there some other
> reason? I don't actually need hot performance, as this will be a very
> low-traffic anonymous ftp server. It's more for experiment and education
> than anything else. I'm trying to get the students to learn something
> besides Windows.

No, it's more fundamental than that.  The problem is the way FTP
works.  I wrote a piece on this in this very forum a while ago -- see

    http://freebsd.rambler.ru/bsdmail/freebsd-questions_2002/msg34253.html

which was mostly about firewalling, but explains what happens in terms
of what tcp connections are made in which directions depending on
whether you're using active or passive mode.

One problem that will bite you happens with passive mode FTP -- which
is the most popular variant, as used by default by all web browsers,
for instance.  This involves the client opening a the ftp data channel
connection to an arbitrary high-numbered port on the server.  If the
ftp server is behind a NAT gateway that's going to cause problems, as
the NAT gateway will just see an incoming request to open a connection
on a high-numbered port, so you'll have to tell the gateway to proxy
all of those connections back to the FTP server.  It's a bit of a pain
to set up, and opens up far too much of your port range to potential
nastyness but it should work.

Where it can get really frustrating is using active mode FTP: here
it's the server that opens the data connection from port 20 on the
server side out to an arbitrary port on the client side.  As you can
imagine this give the administrators of the client machine the
hebegeebies.  Even worse, as you go out through a NAT gateway, it is
quite likely that the NAT gateway will rewrite the packets so they
appear to come from an arbitrary port number on the gateway.  That
means you'ld have to accept a connection from an arbitrary
high-numbered port to an arbitrary high-numbered port.  At which point
your only rational response is to run away, screaming.

I really must tidy that message up and put it on the web somewhere.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040304/02490ece/attachment.bin

More information about the freebsd-questions mailing list