[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] FTP NAT redux
 Date:  Sun, 29 Aug 2004 14:44:29 -0700 (PDT)
On Sat, 28 Aug 2004, Neil Schneider wrote:

> OK, I just changed from Server NAT to 1:1 NAT, changed all my
> forwarding rules and tested from a remote machine behind another
> M0n0wall. And it works! Didn't even turn on logging. Just changed all
> the inbound NAT rules and then the type of NAT and tested.
> 
> Still like to know what he technical difference is between Server NAT
> and 1:1 NAT. I also reduced the port range from 1024-65535 to
> 49152-65535 and it still works, at least with ncftp client and vsftp
> server.

Server NAT just configures additional IPs for use in Inbound NAT.  1:1 NAT
maps a WAN IP to/from a LAN IP completely, regardless of protocols or port
numbers.  That's "more transparent", but still not fully so, since the WAN
IP still differs from what the application sees.  In particular, FTP still
needs tweaking of the control connection in the cases where the data
connection will be inbound (active-mode clinet or passive-mode server),
unless the FTP application itself can be configured to know the "real" IP.

BTW, I'm not sure how 1:1 NAT and Inbound NAT interact, but you shouldn't
need the latter for any machine where you've set up the former.  So the
port range for this server should really be *eliminated*, not "reduced".  
The firewall rules still need to allow access to the ephemeral ports,
though, for whatever range(s) the server in question defines as
"ephemeral".

					Fred Wright