Why do I need a software firewall?

#61 (**permalink**) 10-15-2005, 01:10 AM

<david20@alpha2.mdx.ac.uk> wrote in message
news:dio15o$lnh$1@news.mdx.ac.uk...
> In article <E4qdnbbtgcQaWdPeRVn-hg@comcast.com>, "Alun Jones"
> <alun@texis.invalid> writes:
>>"Leythos" <void@nowhere.lan> wrote in message
>>news:kEw3f.105095$lI5.40473@tornado.ohiordc.rr.c om...
>>> In article <-eGdnTC-H62FG9PeRVn-rw@comcast.com>, alun@texis.invalid
>>> says...
>>>> "Leythos" <void@nowhere.lan> wrote in message
>>>> news:MPG.1dacbea55d89a2ee98a1c1@news-server.columbus.rr.com...
>>>> > You really are a dufus - I never said that NAT didn't impact Active
>>>> > FTP,
>>>> > not once. I said that NAT doesn't break FTP, never saying anything
>>>> > about
>>>> > Active or Passive - knowing the anyone that understands the slightest
>>>> > about FTP and NAT would already know that you need to use Passive
>>>> > FTP,
>>>> > which works fine, so FTP isn't broken at all.
>>>>
>>>> Hmm...
>>>>
>>>> Depending on who's behind the NAT, that is. Passive FTP doesn't work
>>>> if
>>>> it's the server that's behind the NAT. You have to tell the NAT which
>>>> ports
>>>> to open.
>>>>
>>>> Now, some NATs work fine for passive FTP, because they scan the FTP
>>>> control
>>>> channel for PASV commands and the associated responses, and they change
>>>> the
>>>> IP address and port described therein. They should also open up the
>>>> port
>>>> mapping from the external port to the internal one. These NATs
>>>> generally
>>>> do
>>>> the same for active FTP transfers, allowing them to work, too.
>>>>
>>>> There are two usual stipulations on this, however:
>>>> 1. The FTP control traffic must be on port 21. I've heard rumours that
>>>> there are NAT routers that can be configured to look for FTP on other
>>>> ports,
>>>> but never run across such a beast.
>>>> 2. The FTP control traffic must be unencrypted.
>>>
>>> I have 9 FTP servers, some are behind a NAT from a Linksys/D-Link,
>>> others behind a FireBox II others behind a FireBox x1000. They all seem
>>> to work for us.
>>
> FTP is so widely used that I'd think that most NAT devices nowadays would
> come
> with builtin FTP Application Level Gateways to overcome these problems.

<grumble>just not paying attention</grumble>

Yes, most NATs do FTP ALGs. In fact, if your NAT doesn't have an FTP ALG,
I'd return it as defective.

However, if (1) the FTP control traffic arrives at the server on anything
other than port 21, or (2) the FTP control traffic is encrypted, the FTP ALG
in most NATs is not going to be able to make the required address and port
changes.

Alun.
~~~~