> shin> (About EPRT, initiating client retry PORT command next if EPRT
> shin> failes, so trying EPRT first will be OK.)
>   No.  In this senario, if server knows EPRT, EPRT request will be
> accepted, and will not fail.  But, existing NAT box doesn't handle
> EPRT request.  So, NAT box cannot treat data connetion as if it treat
> for PORT.  Then, data connection request from server will not reach to
> client.
> shin> As RFC2428(FTP Extensions for IPv6 and NATs), EPSV can be used
> shin> for IPv4 and IPv6 and it has performance benefit for firewall
> shin> and NAT, because it doesn't include an IP address in its
> shin> command, so firewall and NAT doesn't need to translate them.
>   No problem will occur with EPSV on even if IPv4.  If server doesn't
> know EPRT, client will try PASV next.

There seems to be also some problem in the reverse case.
I actually tested in the following environment.
(I should have checked it more earlier on the first place.)

My home                 router                  remote
current                 3.3                     current
/usr/bin/ftp            /usr/sbin/ppp -nat      /usr/libexec/ftpd

In non passive case,

  ftp> dir
  500 Illegal PORT range rejected.
  200 pcmd command successful.
  150 Opening ASCII mode data connection for '/bin/ls'.
  total 4
  dr-xr-xr-x  2 root  operator   512 Jan  2 14:50 bin
  dr-xr-xr-x  2 root  operator   512 Jan  2 14:50 etc
  drwxrwxrwt  2 root  operator   512 Jan  2 14:50 incoming
  drwxr-xr-x  2 root  operator  1024 Feb  4 12:54 pub
  226 Transfer complete.

The 1st trial seems to be rejected at,
    500 Illegal PORT range rejected.
and 2nd trial seems to be accepted at,
    200 pcmd command successful.

And then I tried passive mode.

  ftp> passive
  Passive mode on.
  ftp> dir
  229 Entering Extended Passive Mode (|||1044|)
  ^C
  receive aborted
  waiting for remote to finish abort.

The connection hanged at
    229 Entering Extended Passive Mode (|||1044|)
for a while, so I aborted it.

> shin> So if no other better suggestion, I think I'll get permission
> shin> to fix 4.0 ftp client to try EPSV only for IPv6.
> 
>   EPSV is NAT frendly.  I think disabling EPRT on IPv4 is better for a
> while.


I now feel disabling either of EPSV and EPRT via IPv4 is safe
for 4.0.

Yoshinobu Inoue


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to