Re: Active FTP behind a router doing NAT

[Ryan Russell <ryan () securityfocus com>]

On Wed, 8 Mar 2000, Arnaud Chiaberge wrote:

> Hello,
>
> If I have well understood, an active FTP client, in a simple NAT environment
> (I mean, only dynamique NAT/PAT on a router, no socks, no proxy or any kind
> of firewall, just a box doing NAT), should not work.

Theoretically, you're correct.  A simple, brain-dead NAT will break FTP.
There are no such beasts on the market (Well, I suppose you could take
IPChains, and purposly forget to add the FTP handler...)  Since FTP is in 
the top 3 for protocol requirements, it's always handled, which means all
the NAT/PAT devices are stateful.  I suppose that's one good thing one can
say about FTP. :)

> Lets assume we have a private network behind a router doing NAT with only
> one public IP address on its external interface.
> Now, an FTP client, inside the private network, connects to an external FTP
> server. Since NAT is completely transparent to the client box, when a data
> transfert has to occur (in active mode), the client sends a packet to the
> server with, in the payload of the packet the port XX where the server is
> expected to connect to.
> The NAT box will translate the source IP address of the client to the
> external public IP address, and will then receive an inbound connection from
> the server on its port XX, how will the NAT box handle this ??

It modifies the port command, so it points to the translated address, then
adds an entry to the state table handle that.  That makes it minimally
stateful.  Unfortunately, since most vendors only do the minimum to get
the protocol to function, that tends to leave interesting holes, like
those published recently relating to FTP and SPF.

                                Ryan