Re: [cmakin@nla.gov.au: Re: NAT and FTP]

[Benedikt Stockebrand <benedikt_(_at_)_devnull_(_dot_)_ruhr_(_dot_)_de>]

Felix Schroeter <felix_(_at_)_mamba_(_dot_)_pond_(_dot_)_sub_(_dot_)_org> writes:

> In article <199702121456_(_dot_)_HAA25687_(_at_)_sun4c_(_dot_)_openbsd_(_dot_)_org>,
> Kenneth Stailey  <kstailey_(_at_)_sun4c_(_dot_)_openbsd_(_dot_)_org> wrote:
> >[...]
> 
> >You are correct.  NAT will not pass standard FTP sessions.
> 
> That's right. By the way, the Linux IP masqerading won't either.

And it shouldn't.  Any protocol that needs some contents mangling
should be dealt with in userspace.  First of all, this is a complex
business.  Next, what if the other side maliciously sends junk?  If
this is done in kernelspace (instead of a daemon running as nobody
and/or in a sand box) any coding error will be fatal.  And finally,
how would you deal with some non-standard protocol using the (at some
box unused) ftp port?

BTW, there should be a variety of such FTP circuit proxies available.
The first place to check should be the TIS Firewall Toolkit (fwtk),
which is basically freely available.  I haven't checked this myself
though; I'd rather use passive mode FTP anyway.


So long,

    Ben

-- 
Ben(edikt)? Stockebrand    Runaway ping.de Admin---Never Ever Trust Old Friends
My name and email address are not to be added to any list used for advertising
purposes.  Any sender of unsolicited advertisement e-mail to this address im-
plicitly agrees to pay a DM 500 fee to the recipient for proofreading services.