Article delegate-en/2767 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A2763@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Delegate FTP PASV behind NAT
13 Oct 2004 20:23:29 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


On 10/11/04(22:49) you "Deffranne Laurent (DBB)" <pzmfabdyi-p5lznxkomzxr.ml@ml.delegate.org>
wrote
in <_A2763@delegate-en.ML_>:
 |I am looking to set up a Delegate Proxy on a internal server behind a Firewall & NAT box.
 |
 |Here is my network configuration :
 |
 |Firewall external IP : 11.22.33.44
 |Delegate Server internal IP : 172.16.0.1
 |
 |The firewall will transmit all incoming connections to the Internal server without problems.
 |
 |
 |The problem is that delegate delegate is now responding with "227 Entering Passive Mode (172.16.0.1,128,66)."
 |on the FTP PASV requests coming from internet.
 |
 |So the internet clients try to connect to the internal adress, without success of course.
 |
 |How can I configure Delegates in such a way that it returns the IP adress 11.22.33.44 on every FTP PASV answer ?
 |
 |I have read about the "SRCIF" parameter, but i am unable to find the rights parameters to use in this case.


I think the following parameter will do it:

  SRCIF="11.22.33.44:*:tcpbound"

Or if your server is to be accessed without the NAT from internal clients
(on .localnet), such clients should be excluded from the mapping like this:

  SRCIF="11.22.33.44:*:tcpbound:*:!.localnet"

Reading your question, I thought it should be done with "ftp-data-pasv",
but it does not work because it tries to bind a socket to the specified,
non-local interface, and fails.  Then I'm reminded with "tcpbound".
I'm not so sure but this is the reason why I introduced "tcpbound" in
DeleGate/8.5.6 (and I noticed "tcpbound" is not expressed in Manual.htm...)

In CHANGES:
8.5.6 030628 inets.c: introduced SRCIF=tcpbound for FTP PASV (on SSL) behind NAT

Cheers,
Yutaka
--
  D G   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( - )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V