Active FTP behind a router doing NAT

["Arnaud Chiaberge" <a.chiaberge () free fr>]

Hello,

If I have well understood, an active FTP client, in a simple NAT environment
(I mean, only dynamique NAT/PAT on a router, no socks, no proxy or any kind
of firewall, just a box doing NAT), should not work.

I explain :

Lets assume we have a private network behind a router doing NAT with only
one public IP address on its external interface.
Now, an FTP client, inside the private network, connects to an external FTP
server. Since NAT is completely transparent to the client box, when a data
transfert has to occur (in active mode), the client sends a packet to the
server with, in the payload of the packet the port XX where the server is
expected to connect to.
The NAT box will translate the source IP address of the client to the
external public IP address, and will then receive an inbound connection from
the server on its port XX, how will the NAT box handle this ??

I'm wright if I say that only dedicated FTP proxy or socks or even stateful
inspection firewall will let this kind of inbound traffic goes in, from the
server to the client ??

Thanks

Arnaud Chiaberge