[ previous ] [ next ] [ threads ]
 From:  "Chris Bagnall" <m0n0wall at minotaur dot cc>
 To:  "'sylikc'" <sylikc at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] NAT > FTP
 Date:  Mon, 18 Oct 2004 09:37:50 +0100
> Filtering/modifying PORT commands is the job of a transparent 
> system that has to analyze every packet that's travelling out 
> of m0n0.  I don't think it's possible in m0n0, and for the 
> most part, IMHO it should be the job of the server to modify 
> the PORT requests rather than relying on the upstream provider.

Would it not be simpler to run your FTP servers in passive mode and open a
limited range of ports to be used for PASV connections? It's a little more
work in terms of opening 2 port ranges for each server (PASV range and the
initial connection port), but it's probably a lot easier than trying to get
the router to modify the PORT command for you.

The default configuration on more and more FTP clients these days seems to
be to connect passively, so it shouldn't break too many of your clients, and
if it does, it's usually a simple change at their end.


C.M. Bagnall, Partner, Minotaur
Tel: (07010) 710715   Mobile: (07811) 332969   ICQ: 13350579
AIM: MinotaurUK   MSN: minotauruk at hotmail dot com   Y!: Minotaur_Chris
This email is made from 100% recycled electrons