>Yes I'm aware of both modes. Since you mentioned the server told the >client >what server to use, I assumed you were talking about passive mode, which >is what I was responding to above.
Sorry about not making it clear at the first place. Now we are on the same page. One minor point: the passive mode was for old proxy firewalls, which you can hardly find any around. >You lost me here. Since the passive open has the connection initiated >by the client, there is no need for the firewall around the client to >open a port based on listening to the control channel, right? Ok, let me try to explain. Even for outgoing connections, the policy needs to be matched on the firewall. (The firewall policy is just a complicated version of access list to match 5 tuples, you can think that way if this is any easy for you). And in most case, only one policy is defined for both FTP control and data channel. This is for simplity and accounting, logging and many other reasons, to list few. This is very common for all firewalls, not just ours. The data channel can not match the policy defined for control because of its dynamic port. So the firewall needs to open a hole (like a dynamic policy for data channel). >> The hole is opened only on the firewall which is dealing the >> control channel. If the data channel goes to another file, apparently this >> will not work. >I don't see why not. It's just another outgoing TCP connection. Is it clear now? If not, please forgive me, a white board discussion may be better. > FTP is just a classical example of this dynamic port problem that a > firewall > needs to deal with. For VoiP apps such H323 and SIP, similar problem > exists > as well and even severe. This is because the signalling channel and media > channel are totally different and destination are usually completely > different. > > > As a firewall/NAT/IDP company we've been struggling with these issues all > the time. It really adds lots of complexity to the system. I just don't > want > to get it worse in IPv6, if not better. > > Hope this makes sense to you. Not particularly. I'm still at the same point I was before where elaborating on what the exact scenario that fails is would help. Thanks, -Dave > Changming -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------