SLUG Mailing List Archives
Re: [SLUG] FW: FTP NAT/Conntrack problems
- To: Luke McKee <Luke@xxxxxxxxxxxxx>
- Subject: Re: [SLUG] FW: FTP NAT/Conntrack problems
- From: Crossfire <xfire@xxxxxxxx>
- Date: Thu May 17 13:46:02 2001
- Cc: "'slug@xxxxxxxxxxx'" <slug@xxxxxxxxxxx>
- User-agent: Mutt/1.2.5i
Luke McKee was once rumoured to have said:
> Slug PPL,
> I thought I would mention this to the slug list. Sorry for the slightly off
> topic posting earlier that was primarily directed towards netfilter users.
> Simply what I am trying to say is some Linux users running NAT in the
> version in 2.4 kernel can not access some FTP sites that others can access
> without trouble - because netfilter breaks RFCs. It even affects ftp client
> running on the nat box itself so if you are running NAT there is nothing you
> can do apart from login to another machine outside your private network or
> shut down NAT completely to get to that FTP site.
This is why FTP has passive mode.
> The ftp servers you can't connect to with NAT running are FTP servers that
> send file transfers from a different IP to the one you first connected to.
> Servers that do this are commonly found in High-Availability networks (like
> those running high-availability Linux clusters - www.linux-ha.org). I just
> thought I should let you all know this in case anyone else have been having
> problems with FTP on linux.
> I now agree with Cris' comment on the slug home page:
> "Unfortunately, whilst everyone was impressed with Netfilter, and Chris's
> overview of it, no one was willing to entrust a production firewall to Linux
> 2.4. Perhaps around 2.4.10"
This was *NOT* my comment. I use Netfilter at home, and I'm about to
deploy it into production.
The NAT code in Netfilter is *far* better than the old Masq system in
2.2 in terms of flexibility.
You obviously didn't research this very well before jumping to
conclusions, and I do not appreciate being misrepresented.
 Hack the Source Luke. They even tell you what changes you'd need
 For the unaware, he's lifted the comment from Jeff's report on the
last meeting. These were Jeff's words, not mine.
 Yes, the C. stands for Chris, not for Crossfire.
Crossfire | This email was brought to you
xfire@xxxxxxxx | on 100% Recycled Electrons