Firewall Wizards mailing list archives
Re: Active FTP behind a router doing NAT
From: Ryan Russell <ryan () securityfocus com>
Date: Mon, 13 Mar 2000 09:27:29 -0800 (PST)
On Wed, 8 Mar 2000, Arnaud Chiaberge wrote:
Hello, If I have well understood, an active FTP client, in a simple NAT environment (I mean, only dynamique NAT/PAT on a router, no socks, no proxy or any kind of firewall, just a box doing NAT), should not work.
Theoretically, you're correct. A simple, brain-dead NAT will break FTP. There are no such beasts on the market (Well, I suppose you could take IPChains, and purposly forget to add the FTP handler...) Since FTP is in the top 3 for protocol requirements, it's always handled, which means all the NAT/PAT devices are stateful. I suppose that's one good thing one can say about FTP. :)
Lets assume we have a private network behind a router doing NAT with only one public IP address on its external interface. Now, an FTP client, inside the private network, connects to an external FTP server. Since NAT is completely transparent to the client box, when a data transfert has to occur (in active mode), the client sends a packet to the server with, in the payload of the packet the port XX where the server is expected to connect to. The NAT box will translate the source IP address of the client to the external public IP address, and will then receive an inbound connection from the server on its port XX, how will the NAT box handle this ??
It modifies the port command, so it points to the translated address, then adds an entry to the state table handle that. That makes it minimally stateful. Unfortunately, since most vendors only do the minimum to get the protocol to function, that tends to leave interesting holes, like those published recently relating to FTP and SPF. Ryan
Current thread:
- Re: High Speed Firewalls, (continued)
- Re: High Speed Firewalls Paul D. Robertson (Mar 06)
- Re: High Speed Firewalls Bennett Todd (Mar 06)
- Re: High Speed Firewalls Chenggong Charles Fan (Mar 08)
- Re: High Speed Firewalls Bennett Todd (Mar 12)
- personal firewalls Randy Grimshaw (Mar 13)
- Re: personal firewalls Rick Murphy (Mar 21)
- Re: personal firewalls elad (Mar 21)
- Re: High Speed Firewalls Mike Barkett (Mar 07)
- Re: High Speed Firewalls Bennett Todd (Mar 07)
- Active FTP behind a router doing NAT Arnaud Chiaberge (Mar 12)
- Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
- Re: High Speed Firewalls Eric Hall (Mar 13)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)
- RE: RE: High Speed Firewalls David Newman (Mar 17)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 21)