On Thu, 2 Nov 2000, Michael R. Jinks wrote:
> I think this is normal... normally ftp involves two connections, one
> from the client to the server and one back from the server to the
> client. That doesn't work with IP masqing (we don't allow incoming
> connections generally).
>
> "Passive" ftp is just ftp over a single connection; the client tells the
> server to send all responses to the originating port instead of opening
> a new connection. Then the masqing code on the firewall knows to let
> those packets back in.
Not correct. FTP data transfers always use a second connection--the
difference is in which side originates it. The control connection is
always initiated by the FTP client, from a random local port to the
well-known FTP control port (21) on the remote server. This connection
persists for the entire FTP session, which may include many file
transfers.
Each file transfer connection is normally established by the FTP server,
from the well-known file transfer port (20) to a random local port on the
client host. The FTP client sends a PORT command to tell the server the
actual local port number it will be listening to for the data transfer.
This mode doesn't work when the FTP client is behind a firewall that
blocks incoming connections.
Passive mode gets around this by having the server listen for the data
connection and telling the client the port number to use in a PASV
message. The client initiates the data connection from a random local
port to the remote port supplied by the server. In this case the data
connection often will not use port 20 at the server end.
> So it looks to me like either your client machine is doing passive ftp
> on its own, or the firewall is translating the connection into passive
> mode itself and recording the fact in the log.
>
> Somebody correct me if I'm wrong.
>
> -m
>
> Ed Lazor wrote:
> >
> > One of my workstations is generating this message in the firewall:
> >
> > Jun 19 20:10:12 audi kernel: ip_masq_ftp OUT: got PASV
> >
> > The firewall's pretty simple... running ip masquerading and I have the
> > various modules loaded. Should I ignore the error message or is it
> > reporting a problem I should fix?
> >
> > -Ed
> >
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> > https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
