On Wed, Sep 22, 2004 at 05:33:36PM -0400, ED_Hingsbergen_at_cisgi.com wrote:
> I encountered a problem connecting to an ftps host that was behind a NAT
> firewall. Here is my solution:
> The Solution:
> Instead of using the IP address from the "227 PASV" response, the client
> can use the IP address that it used for the control connection. This will
> be the public IP address of the host. [ I have been unable to find a
> situation in which the IP address in the PASV response should refer to a
> different host.] The command line option "--ftp-ignore-pasv-ip" causes the
> cURL command line client to use the port number from the PASV response, but
> to ignore the IP address, and use the IP address that was used for the
> control channel instead.
> (See attached file: FTP_IGNORE_PASSIVE_IP.diff)
> Comments welcome.
Even if this solution were to be used, the NAT firewall will not know which
TCP port to map to the internal host because it can't see the PASV response.
The remote client will attempt to connect to the control channel address,
but the port will be closed. How is the NAT firewall supposed to get this
http://www.MoveAnnouncer.com The web change of address service
Let webmasters know that your web site has moved
Received on 2004-09-23