At 17:20 22/08/00 +0900, horio shoichi wrote:
>Although in principle it is possible to request data port connection
>from separate IP, I wonder if it is reality. If the server "deviates"
>from rfcs only in this respect, that is, data connection must come
>from the same host as control, much of passive mode headache can be
>eliminated. Because: 1) PASV data ports may be chosen from small range
>(say 100), and said data ports can be constantly listened and can perform
>accept-fork loop.
>
>This way holes for data ports on external router can be made small,
>the holes may all be listened thus cannot be listened unknowingly,
>and the connecting peer ip (but not port number) can be authenticated.
>Also, most ftp clients won't be affected.
>
>How do you think this for tentative work around for ftp server difficulty ?
That'll be a start, but I still prefer having an ftp protocol that uses a
single connection.
Then designing packet filters, NAT solutions and other stuff that handles
connections
in the IP stack would be easier. Layering has been used to make different
stacks
independent, but while I easily accept the dependencies between IP and TCP
(and UDP/ICMP/..),
I find it ugly to have code in the IP stack just to parse ftp data...
regards,
mouss
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
