[ previous ] [ next ] [ threads ]
 From:  sylikc <sylikc at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Passive Mode FTP
 Date:  Tue, 19 Apr 2005 14:19:50 -0700

On 4/7/05, Manuel Kasper <mk at neon1 dot net> wrote:
> It should be mentioned at this point (and hopefully once and for all)
> that ipnat (and thus m0n0wall) does indeed fix up PORT commands sent
> by FTP clients behind NAT to FTP servers on the Internet. Therefore,
> both active and passive FTP clients can be used behind m0n0wall (as
> long as NAT is on, which is the case in almost all setups). What
> doesn't work (and that's a limitation in ipnat) is fixup of PASV
> responses made by FTP servers behind m0n0wall. So at present, if you
> want to run an FTP server behind m0n0wall in passive mode (active
> mode is no problem), you need a static WAN IP address and a good FTP
> server that allows you to specify the IP address to be returned in
> PASV responses. Then, if you map/configure the proper port ranges,
> passive FTP servers behind m0n0wall will work too. Other than that,
> there are *no* restrictions to using FTP with m0n0wall (aside from
> the fact that EPRT/EPSV aren't supported, but these aren't in
> widespread use anyway).

Is there any way to disable (using a flag or a command in config.xml)
the automatic PORT translations done by ipnat?  I always have funny
problems using FTP in Explicit auth mode from an FTP client in active
mode on the LAN to a server on OPT1 (DMZ).  It works fine "sometimes"
when done without any type of explicit auth or implicit auth, but I
was just wondering if there is a way to disable this functionality?