[sclug] Re: Firewalls
- -
tigerstylus at hotmail.com
Sat Oct 25 09:05:32 UTC 2003
For what its worth, and in danger of ranting..I apologise now. My take from
experience and the RFC's is below.
I would agree, having the IP address and port number in the FTP data payload
seems odd. But thinking about it logically, the only reasoning for this I
can think of is that the FTP control session must at some point publish the
IP address and TCP port number pairing for the FTP DATA session it will
support. Where else can it do this other than the payload..?!!?!
As we know the FTP control session uses one TCP port, the FTP data session
uses another, different port, 20 and 21.
The problem faced by NAT handling FTP data (its a similar problem faced by
ICMP sometimes too) is mitigated by using an ALG (application layer gateway)
alongside, or as part of your NAT/PAT system. it takes all responsiblity for
monitoring the FTP sessions and modifying their address, port, sequence
number and checksum values in the respective TCP and IP headers...it can
modify the NAT/PAT tables accordingly if necessary..but usually keeps its
own tables or tuples of any connections.
Sorry if I am teaching anyone how to suck eggs....
Ahoj, mejte se...
Simon Young
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
More information about the Sclug
mailing list