Re: IP MASQUERADING broken again from v1.3.81 onwards

Jos Vos (
Fri, 05 Apr 1996 16:19:00 +0200

> I remember reading a piece of source code, was it ftp or ftpd, where
> port 20 was commented out, and a 0 was inserted instead, so the system
> will create its own port.

Maybe, but most (all?) ftp daemons still seem to use port 20 and
firewall literature usually lists just this particular port.

> the PORT command, as I understand it, is used when the ftp-server
> establishes a data-connection to the ftp-client, with the selected port
> as target address. so you don't know which port is going to be used
> locally.

You do know, because you (the client) send the port command to the server,
saying on which port you want to accept an incoming ftp data connection.

> and second, if you have configured your firewall in a way that only
> allows packets with SYN=1 out your firewall and ACK=1 into your firewall,
> then you cannot use non-passive ftp-mode, since you cannot connect
> through your fireall from outside. (this is what I meant with "closed"
> firewall)

That's true if you don't accept incoming connections at all, also not
to the firewall host itself (e.g., incoming SMTP or HTTP connections).

But, when using IP masquerading with the special FTP module, you can
configure your firewall so that it will never *forward* incoming
connections to some internal host, and even then you will be able to handle
*incoming* ftp-data connection related to some *outgoing* ftp session
(that is, an ftp session initiated by a client on your internal network).

--    Jos Vos <>
--    X/OS Experts in Open Systems BV   |   Phone: +31 20 6938364
--    Amsterdam, The Netherlands        |     Fax: +31 20 6948204