FTP: Client and Server Behind 2 Seperate Firewalls.

Adrian Chung (adrian_chung@yahoo.com)
Mon, 20 Dec 1999 10:03:54 -0800 (PST)

Hi everyone, I've had this question for a while, and
haven't been able to find a solution.

This is the scenario.

Two networks, each running Linux and IPMasq, with
machines behind the firewalls running FTP servers and

Network 1:

Machine A is behind firewall 1, and has an IP of
-Firewall 1 has the IP_MASQ_FTP module loaded, and is
forwarding port 212 to Machine A's FTP server port

Network 2:

Machine B is behind firewall 2, and has an IP of
-Firewall 2 has the IP_MASQ_FTP module loaded, and is
forwarding port 1122 to Machine B's FTP server port

Both firewalls reside on the Rogers@Home cable

Here is the problem:

When a client behind Firewall 1 tries to access the
FTP server on Machine B through Firewall 2, or vice
versa, neither FTP port mode nor FTP passive mode will
work, since neither machine A, nor B have valid
routable internet addresses.

In either mode, the connection fails when a data
transfer is attempted, and times out waiting for a

My understanding is: in PORT mode, the client
instructs the server what port and IP address to
connect to. Which fails in this case, because the
client thinks it's IP is, or

In PASSIVE mode, the server instructs the client which
port and IP address to connect to, which still fails,
since the server thinks it's IP is, or depending on which direction you're
attempting to FTP.

IP_MASQ_FTP works for outgoing non-PASSIVE transfers,
and the setup works normally for destinations which
are not behind firewalls.

I'm not sure how the IP_MASQ_FTP module takes care of
rewriting the packets source address to take care of
this problem, but I thought that this module should
allow PORT mode transfers to any host external to the
firewall'd network regardless of whether it is behind
a firewall or not.

For example, the above set up works fine to and from a
server behind the MASQ box, as long as the external
client/host is not also behind a firewall, and uses
PORT mode.

Is it possible with any tools to allow this type of
access? And if so, what types of tools/alternatives
are available?


Adrian Chung

Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one place.
Yahoo! Shopping: http://shopping.yahoo.com
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.rutgers.edu