This is because of the FTP protocol. For data transfers (and this includes
directory listings), the client sends a "PORT" command to the server, which
specifies its own IP address and a port number on which it will listen for
the data connection. To successfully proxy FTP through a firewall, the proxy
must look for the PORT command and substitute its own address (or a
destination address that will get translated successfully) in the PORT
command. The proxy must then listen on the appropriate port, and pass the
traffic through to the client.
Chapman & Zwicky's Building Internet Firewalls (p.224-225) has a good
description of this, with a pretty picture to look at. Cheswick & Bellovin's
Firewalls and Internet Security (p.40) shows the actual data that gets
passed.
Ron Hardin <rhardin @
telerama .
lm .
com> writes:
-> Greetings!
->
-> If anyone can help...
->
-> I have a NT server sitting behind a FW-1 gateway. The group that is
-> responsible for the server wishes to permit FTP access. This host is
-> on a seperate enet segment off a quad port in my Sun host. NAT is
-> in force for all host behing the firewall.
->
-> When a ftp session is initiated from the outside (say with Netscape)
-> the host is contacted, but the illegal IP (not xlated) and associated
-> port is passed back to the browser. Needless to say the ftp session
-> fails. Any suggestions where to look for the solution?
->
-> Thanks...
-> displayed
->
*--------------------------------------------------------------------*
| Renee Landers network security division |
| Security Consultant Security First Technologies |
| rlanders @
s-1 .
com 3390 Peachtree Road, Suite 1700 |
| (404) 812-6640 Atlanta, GA 30326-1108 |
*--------------------------------------------------------------------*
References:
|
|
