Re: compare iis-ftp and serv-u.
From: Alun Jones [MSFT] (alunj_at_online.microsoft.com)
Date: 02/15/05
- Previous message: Bernard: "Re: FTP server installation problem"
- In reply to: Elga: "Re: compare iis-ftp and serv-u."
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 14 Feb 2005 17:21:13 -0800
"Elga" <Elga@discussions.microsoft.com> wrote in message
news:04BC97AF-0E53-40C8-AB0C-7A4E7FB2ED8F@microsoft.com...
> First, it wasn't my intention to be unpolite. I appreciated the help I
> receved in this forum when I began to work with IIS. If it was the
> consequence of my post, I apologyze.
>
> But, I don't agree with the idea of this is a NAT's issue.
> NAT have to translate internal IP to external IP (and viceversa) in the
> header of IP message, but does not have to do with the body of thar
> message.
> So, if some NAT manufacturer wants to give an special treatment to the
> body
> of the answer to PASV command, it's cool, but it is not mandatory.
> Because of this, there are many NATs that don't do it. Then, the FTP
> server
> software needs to know the external IP in order to send the right answer
> to
> the client, in this cases.
I disagree.
RFC 1631 ("The IP Network Address Translator") actually lays this out as a
requirement on the NAPT router:
"3.3 Header Manipulations
In addition to modifying the IP address, NAT must modify the IP
checksum and the TCP checksum. Remember, TCP's checksum also covers a
pseudo header which contains the source and destination address. NAT
must also look out for ICMP and FTP and modify the places where the
IP address appears. There are undoubtedly other places, where
modifications must be done. Hopefully, most such applications will be
discovered during experimentation with NAT.
"
An example is given of the FTP PORT command, and how to modify it, and the
sequence numbers, in order to carry out an FTP transaction through a NAPT
router.
I have yet to see a NAPT router that did not support this, although most are
constrained to only do this on port 21.
Consider the following scenario.
Assume an FTP server, Jim, that quotes an external IP address in its PASV
response.
A client connects, and requests a PASV port be assigned. The server
responds with "227 Passive port (192,168,2,3,4,1)" The client connects to
192.168.2.3:1025, which has been dynamically mapped at the NAT by the RPC
service on Fred, a different machine, that wants an outward-facing RPC
service.
The NAPT cannot prevent this, because, as far as it knows, address
"192.168.2.3" is already an external address, and should not be modified.
Jim does not know that Fred has this mapping added into the NAPT's routing
table.
This is why it is the NAPT router's responsibility to do this translation if
at all possible. Only the NAPT router has all the information necessary to
make the translation securely.
Alun.
~~~~
-- Software Design Engineer, Internet Information Server (FTP) This posting is provided "AS IS" with no warranties, and confers no rights.
- Previous message: Bernard: "Re: FTP server installation problem"
- In reply to: Elga: "Re: compare iis-ftp and serv-u."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
