[ntp:questions] Re: Taming the pinball machine

Maarten Wiltink maarten at kittensandcats.net
Tue Nov 11 18:07:38 UTC 2003

"Wolfgang S. Rupprecht"
<wolfgang+gnus20031111T073744 at dailyplanet.dontspam.wsrcc.com> wrote in
message news:x74qxax5qj.fsf at capsicum.wsrcc.com...
> "Maarten Wiltink" <maarten at kittensandcats.net> writes:
>> That doesn't work from here, either. What DNS name has to agree,
>> exactly? The one of my NATing router, perhaps?
>> I would say that to break existing protocols so they only work from
>> a browser is, well, Bad.
> Does it work correctly when your NAT box is removed and the system is
> hooked up to the net directly?

I don't know, and I'm not about to find out. My gateway machine does
things beside NAT, like, er, firewalling.

...Which "the" system? Mine, my wife's, the news proxy, the mail server,
or the other two that might conceivably get by without Internet access?

It doesn't work correctly from the gateway machine itself, with symptoms
identical to those described by other people.

> The ftp protocol works poorly through NAT.  The problem is that ftp
> embeds the client system's address in the file transfer transaction
> and then opens a connection from the server to the client.  Under NAT
> this is the private, non-routable address.  That is strike 1.  Strike
> 2 is that fact that an unsolicited tcp open is showing up at the NAT
> box.  NAT is going to drop that open like a hot potato.

I know. The ip_masq_ftp kernel module fixes that for me and a million
other people.

> There is a mode called "passive ftp" that gets around these problems
> ("ftp -p <hostname>" in unix) where the opens are all done from the
> client side.  Things stay nice and consistent.  Passive mode may or
> may not be supported by the ftp server you are connecting to.
> On the other hand, ftp servers have been checking rDNS for over a
> decade.  You are going to have more problems than just one ftp site if
> your ISP can't be bothered to fill in their DNS and rDNS information
> correctly.

Please do not insult my ISP as well. They know where their towel is.
They have working DNS and RDNS, to the point where I can change what
name my IP address reverse-resolves to.

And they have working FTP, too, except to ftp.udel.edu.

Maarten Wiltink

More information about the questions mailing list