On Thu, 14 Sep 2006, Steve Welham wrote: > I agree with you and I think the man page is missing a line - at least > for passive mode which is all that I tested (running ftp-proxy with no > options) . It does appear that 2 translation rules are added for PASV - > an rdr and a nat: > > It looks like that rdr rule is added in order to achieve the port > rewriting noted in the code comments: > * 3) Source and destination ports are rewritten to minimize > * port collisions, to aid security (some systems pick weak > * ports) or to satisfy RFC requirements (source port 20). > > I think this is explained when you consider the 4 rules together, so for > my test: > > 1) Inbound translation: > Packet: "192.168.0.10 to A.B.C.D:57239" > Action: rdr matches and packet becomes "192.168.0.10 to A.B.C.D:26703" > > 2) Inbound filter: > Packet: "192.168.0.10 to A.B.C.D:26703" > Action: Matches first filter rule. > > 3) Outbound translation... matches the NAT rule > > 4) Outbound filter... matches the 2nd filter rule > > HTH, my understanding is a lot clearer if this is all correct. Hopefully > someone else can confirm.
Yes, all correct. The rules in the manpage are very much simplified, to clarify what the proxy does. Listing the exact rules with the port rewriting would make them a lot more complicated (ie. not suitable for a manpage). -- Cam
