Common operational misconceptions

Jimmy Hess mysidia at
Mon Feb 20 04:40:57 UTC 2012

On Sun, Feb 19, 2012 at 10:09 PM, Andrew Jones <aj at> wrote:
> On Mon, 20 Feb 2012 11:17:32 +0900, Masataka Ohta
> It seems to me that this will create all sorts of headaches for firewall
> ALGs. Rather than just passing port 21/tcp traffic to the FTP ALG for
> example, the devices would need to inspect traffic on all ports and perform

That doesn't work when the FTP control connection is encrypted using SSL.
Layer 4  Firewall devices should not be expecting to intercept FTP
traffic and make decisions based on the application layer contents of
the traffic.

I would suggest a requirement that FTP clients utilizing SRV records
to access FTP on an alternate port MUST utilize Firewall-Friendly FTP
as described by RFC1579.

Each FTP server can then be assigned its own port range, or the FTP
server can be configured to notify the Firewall device which ports to
forward using UpNP or a NAT traversal protocol such as STUN, and the
Firewall device can be configured  to forward the appropriate range of
ports  to the correct server.


More information about the NANOG mailing list