I encountered a problem connecting to an ftps host that was behind a NAT
firewall. Here is my solution:
In an ordinary FTP passive mode session, the host triggers the client to
open a data connection with the "227 PASV" response, which includes the IP
address and port number that to which the client should connect. When the
host is behind a NAT firewall, the firewall intercepts the message, and
replaces the internal IP address with the public IP of that host. The
client then connects to the IP address and port given by the 227 response.
However, with an FTPS session where the server is behind a NAT firewall,
the traffic is encrypted, so the firewall cannot even detect that a 227
response has been passed, and cannot modify the IP address. Therefore, the
client attempts to open a data connection to the private IP address of the
host, which will clearly fail.
Instead of using the IP address from the "227 PASV" response, the client
can use the IP address that it used for the control connection. This will
be the public IP address of the host. [ I have been unable to find a
situation in which the IP address in the PASV response should refer to a
different host.] The command line option "--ftp-ignore-pasv-ip" causes the
cURL command line client to use the port number from the PASV response, but
to ignore the IP address, and use the IP address that was used for the
control channel instead.
(See attached file: FTP_IGNORE_PASSIVE_IP.diff)
Received on 2004-09-23