Hello all.
I maintain a Carrier Grade NAT (CGN) system, based on FreeBSD with pf() (NAT and Bi-NAT) and dummynet() (ipfw()'s shaper) for a few thousand of customers.
For the usual problems with ftp under NAT, we use ftp-proxy(). All works fine until we got a request from one customer with a problem: he can't download from some ftp servers in passive mode, got strange error
So we began to investigate the reason, and found it. While ftp-proxy establishes control ftp connection from [one of the] server IP, data connection to ftp establishing with customer's external (due to binat) source address. Some ftp servers (based on wu-ftpd, probably) are paranoid and want the same source address in the data connection as in the control connection.
It can be easily seen with the tshark dump there: http://pastie.org/6347758 (FTP server IP is 15.193.112.22, NAT-server IP is 109.71.176.1, customer [external] IP is 93.92.199.139).
What can we do with it? Ftp-proxy, in my opinion, should respect existing (binat) address translation and work more tightly with pf in this aspect. Or I'm wrong? Linux NAT conntrack helper works like a charm and I consider it.
I maintain a Carrier Grade NAT (CGN) system, based on FreeBSD with pf() (NAT and Bi-NAT) and dummynet() (ipfw()'s shaper) for a few thousand of customers.
For the usual problems with ftp under NAT, we use ftp-proxy(). All works fine until we got a request from one customer with a problem: he can't download from some ftp servers in passive mode, got strange error
Code:
425 Possible PASV port theft, cannot open data connectionSo we began to investigate the reason, and found it. While ftp-proxy establishes control ftp connection from [one of the] server IP, data connection to ftp establishing with customer's external (due to binat) source address. Some ftp servers (based on wu-ftpd, probably) are paranoid and want the same source address in the data connection as in the control connection.
It can be easily seen with the tshark dump there: http://pastie.org/6347758 (FTP server IP is 15.193.112.22, NAT-server IP is 109.71.176.1, customer [external] IP is 93.92.199.139).
What can we do with it? Ftp-proxy, in my opinion, should respect existing (binat) address translation and work more tightly with pf in this aspect. Or I'm wrong? Linux NAT conntrack helper works like a charm and I consider it.