Sunday, November 1, 2009

ftp thru a NAT firewall

I always was wondering, how ftp data connection gets through a firewall with NAT.
A ftp client on a machine with local IP (192.168.x.x) sends its own local address, like:
---> PORT 192,168,0,2,150,117
but the server still manages to establish the data connection to the client machine.
The answer to this question is simple - the NAT router works also on the application level and understands the ftp commands. When it sees the "PORT" command in the control connection, it translates the internal address to the external and adds a temporary record to the firewall table.

It's funny, but my simple cheap WiFi all-in-one box at home does the job when the ftp commands are upper cased and ignores it when it lowercased.

Good article about the subject here:

No comments:

Post a Comment