dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
16

spi
@66.128.17.x

spi to TheWiseGuy

Anon

to TheWiseGuy

Re: Is it safe to disable router's firewall?

I guess where I am going with this is that by definition NAT alone cannot handle active FTP. In active FTP the server starts a new connection into the client and without some sort of packet inspection the router doesn't even know who to forward that traffic to. The traffic will be denied. Whatever you want to call this packet inspection that the router does to see that data port and know it is associated with the original outgoing ftp session is up to you but it is not NAT. BTW, you only described half of what an active ftp session does, you didn't even make it to the part that a basic router would have problems with.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

TheWiseGuy

MVM

said by spi :

BTW, you only described half of what an active ftp session does, you didn't even make it to the part that a basic router would have problems with.
Huh, maybe you can not read.
said by Me :
An initial connection is made to Port 21 outbound. The Inbound return packet contains the port where the data connection will be established.

quote:
Still you could easily implement a sub-routine in NAT that checks if the remote is Port 21 and simply check the return packet as part of NAT without implementing a full SPI firewall,

You do understand Active FTP enough to understand that the DATA connection is the part you say will have a problem, not the control connection.

For you or anyone else that needs to understand active FTP
see

»slacksite.com/other/ftp.html

NAT/PAT is Name Address Translation/Port Address Translation, you must modify the NAT/PAT tables to allow inbound traffic from active FTP. It does not need to be done by a stateful firewall.

spi
@66.128.17.x

spi

Anon

lol... you are explaining this to me and you call it "Name Address Translation". Man you need to get a refund on whatever certification you got... I agree with you, the NAT (Network Address Translation) table is updated but NAT is not inspecting the traffic to determine this information for itself. NAT is not responsible for inspecting this traffic and NAT alone will not allow this inbound traffic. NAT alone cannot handle this type of traffic.. Don't read anymore into it, that is all I am trying to say. NAT alone cannot handle this type of traffic.
spi

spi to TheWiseGuy

Anon

to TheWiseGuy
BTW since you brought it up NAT/PAT as you call it are not one in the same.
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

1 edit

TheWiseGuy

MVM

said by spi :

BTW since you brought it up NAT/PAT as you call it are not one in the same.
Sigh I wish I could put anonymous trolls on ignore. I also wish the system were not all of a sudden informing me of every reply by an anonymous user.

Actually, if you read Cisco

»www.cisco.com/en/US/tech ··· 31.shtml
Overloading – A form of dynamic NAT that maps multiple unregistered IP addresses to a single registered IP address by using different ports. Known also as PAT (Port Address Translation), single address NAT or port-level multiplexed NAT.
PAT is the name of a specific type of NAT.

I'm done feeding the troll. You do not need a stateful firewall, which is what this topic is about, to do active FTP.

spi
@66.128.17.x

spi

Anon

The guy that calls it Name Address Translation calls me a troll. Nice try...

You are correct you may not need what your router vendor calls spi for active ftp but you do need some sort of deep packet inspection which is NOT NAT.