From owner-freebsd-questions@FreeBSD.ORG Thu Mar 4 00:05:16 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0323B16A4CE for ; Thu, 4 Mar 2004 00:05:16 -0800 (PST) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC21743D2D for ; Thu, 4 Mar 2004 00:05:14 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) i24859bQ043122 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 4 Mar 2004 08:05:09 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id i24859rm043121; Thu, 4 Mar 2004 08:05:09 GMT (envelope-from matthew) Date: Thu, 4 Mar 2004 08:05:09 +0000 From: Matthew Seaman To: Robert Storey Message-ID: <20040304080509.GB42340@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Robert Storey , freebsd-questions@freebsd.org References: <20040303181551.104d2ce6.y2kbug@ms25.hinet.net> <20040303131340.GA11526@happy-idiot-talk.infracaninophile.co.uk> <20040304083332.30695e4b.y2kbug@ms25.hinet.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="nVMJ2NtxeReIH9PS" Content-Disposition: inline In-Reply-To: <20040304083332.30695e4b.y2kbug@ms25.hinet.net> User-Agent: Mutt/1.5.6i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on happy-idiot-talk.infracaninophile.co.uk cc: freebsd-questions@freebsd.org Subject: Re: what is my real address? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Mar 2004 08:05:16 -0000 --nVMJ2NtxeReIH9PS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Mar 04, 2004 at 08:33:32AM +0800, Robert Storey wrote: > Matthew Seaman wrote: > > Running an FTP server through a NAT'ing gateway is not going to be a > > pleasant experience, even if you were running the NAT gateway on a > > FreeBSD box where natd's punch_fw functionality would make things a > > great deal easier for you. FTP is an ancient protocol not designed to > > cope with the realities of the modern internet. >=20 > Is it just that I will suffer poor performance, or is there some other > reason? I don't actually need hot performance, as this will be a very > low-traffic anonymous ftp server. It's more for experiment and education > than anything else. I'm trying to get the students to learn something > besides Windows. No, it's more fundamental than that. The problem is the way FTP works. I wrote a piece on this in this very forum a while ago -- see http://freebsd.rambler.ru/bsdmail/freebsd-questions_2002/msg34253.html which was mostly about firewalling, but explains what happens in terms of what tcp connections are made in which directions depending on whether you're using active or passive mode. One problem that will bite you happens with passive mode FTP -- which is the most popular variant, as used by default by all web browsers, for instance. This involves the client opening a the ftp data channel connection to an arbitrary high-numbered port on the server. If the ftp server is behind a NAT gateway that's going to cause problems, as the NAT gateway will just see an incoming request to open a connection on a high-numbered port, so you'll have to tell the gateway to proxy all of those connections back to the FTP server. It's a bit of a pain to set up, and opens up far too much of your port range to potential nastyness but it should work. Where it can get really frustrating is using active mode FTP: here it's the server that opens the data connection from port 20 on the server side out to an arbitrary port on the client side. As you can imagine this give the administrators of the client machine the hebegeebies. Even worse, as you go out through a NAT gateway, it is quite likely that the NAT gateway will rewrite the packets so they appear to come from an arbitrary port number on the gateway. That means you'ld have to accept a connection from an arbitrary high-numbered port to an arbitrary high-numbered port. At which point your only rational response is to run away, screaming. I really must tidy that message up and put it on the web somewhere. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --nVMJ2NtxeReIH9PS Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFARuM1dtESqEQa7a0RArJ/AJ41eJjsgwYecdeyG7yMhezaZjDvnwCdFzNK 12lMGfAUVhovVcibFR0ph4s= =39uz -----END PGP SIGNATURE----- --nVMJ2NtxeReIH9PS--