Stephen, you presentation of the four ftp scenarios is fantastic. Any
chance of a similar one for Net Meeting? (inside out, outside in etc)
Problems and required pinholes would be great. This it the one thing still
giving me grief.

Thanks, Neal Blackie.

-----Original Message-----
From: owner-adsl@unixathome.org [mailto:owner-adsl@unixathome.org]On
Behalf Of Brian Gibbons
Sent: Wednesday, 13 December 2000 11:39 a.m.
To: Stephen Betts; ADSL Mailing List
Subject: Re: FTP server mehind a m1122

>From: "Stephen Betts" <stephen.betts@Jalna7.co.nz>
>I dont confess to know anything about the ftp protocol but didn't some one
>in the last couple of weeks point out there was a problem with the
>application level gateway in the NAT on the M1122 family, and alot of
people
>were having problems sisnce the M10 - M1122 upgrade.
>http://www.unixathome.org/adsl/2000_11/0301.html I think is the message
>stating the problem has been relayed to nokia.

As a follow up to that posting. The fault was that the M11 and Mx1122
routers would work for a PORT command but not for a Port command (case
sensitivity). Nokia have reported back that the fault has been addressed in
R09 of the firmware, I have not tested to confirm this.

This fault would surface only for certain FTP clients that are configured
not to use PASV (e.g. BFTP was reported as failing, CuteFTP works etc).

There are at least four scenarios of ftp via a NAT router where an Invisible
FTP "proxy" has to fix up FTP to get around NAT issues, I will list those
here for future reference, you will see why this is the most frequently
reported issue on this list.

InsideOut - PORT mode
-----------------------

An FTP client, with a private IP address accessing an Internet server via a
NAT box using PORT mode.

The Invisible proxy on the NAT box must intercept the PORT command coming
from the client, the proxy must set up an "on the fly pinhole" from the
outside IP address/port to the inside IP/port (as contained in the PORT
command). The proxy then changes the parameters of the PORT command to
reflect the outside IP/port and forwards this to the server.

InsideOut - PASV mode
-----------------------

An FTP client, with a private IP address accessing an Internet server via a
NAT box using PASV mode.

The Invisible proxy on the NAT box need not get involved, PASV mode will
work fine via a NAT box as the DATA connection is outgoing like any other.

OutsideIn - PORT mode
-----------------------

An FTP client, with a public IP address on the Internet accessing a server
that has a private IP address inside a NAT box using PORT mode. Assumes
there is a pinhole from the outside IP port 21 to the inside server IP port
21.

The Invisible proxy on the NAT box need not get involved, the client on the
Internet will issue a PORT command containing IP/port that are valid from
the servers point of veiw.

OutsideIn - PASV mode
-----------------------

An FTP client, with a public IP address on the Internet accessing a server
that has a private IP address inside a NAT box using PASV mode. Assumes
there is a pinhole from the outside IP port 21 to the inside server IP port
21.

The Invisible proxy on the NAT box must intercept the PASV command coming
from the server as it will contain the private IP address of the server.The
proxy must set up an "on the fly pinhole" from the outside IP address/port
to the inside IP/port (as contained in the PASV command). The proxy then
changes the parameters of the PASV command to reflect the outside IP/port
and forwards this to the client.

Summary
----------

There are two scenarios where FTP via NAT will work without involvement of
the invisible proxy, it is handy to know these modes when trying to diagnose
the source of problems:

InsideOut - PASV mode
OutsideIn - PORT mode

This leaves two modes where you are reliant on a well implemented invisible
proxy

InsideOut - PORT mode
OutsideIn - PASV mode

It is these two modes that are most problematic, not many NAT boxes
implement an OutsideIn - PASV mode fixup.

Pinhole Requirements
----------------------

Only OutsideIn scenarios require any pinholes, no amount of pinholing will
fix an InsideOut problem, they will probably cause other problems.

Only one pinhole is required for OutsideIn scenarios, from port 21 on the
outside to port 21/private IP address of the server. You should test PORT
mode from the outside first, if this works and PASV doesn't you have a
broken FTP proxy and no amount of pinholing will fix this.

This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message

This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message
Received on Wed Dec 13 12:27:47 2000