I happened to have a strange issue.I had an IP to which I had done a layer of NATting so that an IP w.x.y.z would see to my network users as a.b.c.d. I used Nortel Contivity CSF/NAT software for this.
But whenever we did an FTP to the natted IP , the initial connection got established but after that the data connection was never established.It dropped connection whenever a data connection or passive mode was requested.I checked the rules at my end thoroughly , opened up the required ports , ensured that at the other end also everything was open.But nothing worked.Finally I decided to do a packet capture and set an ethereal capture with the filter on ftp port alone.
To my wonder the PORT raw FTP command was giving the ip a.b.c.d to the ftp server at w.x.y.z which the server was not aware since I was doing a NAT.
The problem was detected, but earlier this used to work when I did the same using Shorewall.
I read the documentation of Shorewall and understood that Linux was aware of this issue and hence there was a kernel module ip_nat_ftp which took care of modifying PORT and PASV commands in case of a nat.Shorewall automatically loads this module .Thats why it used to work earlier.
When contacted Nortel said its a known bug with their firmware version which they will fix in their next update.
Perhaps if their code was open, it might have got noticed a long back .................
Am I right????????
No comments:
Post a Comment