With the more active (excuse the pun) NAT devices out there, they can watch for PORT commands in the packet stream and open up the port incoming from the server back to the client. One of the problems with two stateless firewalls and passive ftp is that it won't work. One of the firewalls has to allow an incoming conections in whatever scenario. With active ftp though, you can filter based on the source port of the return packets (20) on the client firewall. Not the best, but still one better than the passive where you've got an arbitary port on both the server and client. Cheers, Chris Gordon Smith wrote:
Thats why passive FTP is used instead. Active FTP won't work in most networks now. NAT is done at the border firewall/router
Besides, some protocols like FTP (in PORT mode) initiate the data connection from the _server_ end to the client even though the initial connection and request of the file has come from the client. So "customer initiated data" is a meaningless concept.
Regards, Simon
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog