Topic: 用LINUX网关，打开单向NAT之后发现无法建立WINDOWS客户端FTP连接的数据传输通道，哪位大侠能帮我，谢谢。 @拉斯维加斯华人论坛:拉斯维加斯枫下论坛 The Rolia Forum of Las Vegas

工作学习 / IT技术讨论 / 用LINUX网关，打开单向NAT之后发现无法建立WINDOWS客户端FTP连接的数据传输通道，哪位大侠能帮我，谢谢。 -billhuang(瞎跑); 2001-6-25 (#111723@0)

Depends on passive or active mode you are using, you have to open unprivileged port (1024-65535) and load ftp module for ipchains. URL: http://www.linuxdoc.org/HOWTO/IPCHAINS-HOWTO.html -guest:; 2001-6-25 (#111733@0)

但是将IPCHAINS 的 INPUT, OUTPUT, FORWARD 规则均设成 ACCEPT之后, LINUX的客户端可以建立FTP连接并传数据, 就WINDOWS的客户端能建立连接,但传不了数据. -billhuang(瞎跑); 2001-6-25 (#111738@0)

Use ftp proxy module like this (no need to open up 1024-65535): -dennis2(Dennis); 2001-6-26 {755} (#111994@0)

literal PASV or quote "PASV" won't do the job, because the ftp client has to be able to realize it's in the passive mode and initiate connection.the PASV command only makes the server jump into passive mode. Solaris and Windows built in command line ftp clients are not capable of doing passive transfer, there is nothing you can do about it. As for Linux, the built in command "passive" can do the trick. In any case, an application level gateway(you can call it a ftp proxy) is the best choice in terms of compatibility and security. -numnum(numnum); 2001-6-26 {393} (#112496@0)

You are right. I can't remember where I got the impression that by issuing "literal PASV" can put a client into passive mode (which is very wrong).Oh wait, I vaguely remember it was from a support document of a software package I used to support that made use of command line ftp client on windows.

So their concept is so screwed up and I didn't pay much attention to it. Me bad!

Anyway, like you said, ALG is more appropriate. Quite a few packet filtering firewalls (fw-1, pix, linux iptables) were having problems with port command when protecting ftp servers in DMZ. I'd blame the protocol -- it's just so hard to get it right. -dennis2(Dennis); 2001-6-26 {492} (#112579@0)

@Las Vegas