# ftp-proxy and source address problem



## RusDyr (Feb 28, 2013)

Hello all.

I maintain a Carrier Grade NAT (CGN) system, based on FreeBSD with pf() (NAT and Bi-NAT) and dummynet() (ipfw()'s shaper) for a few thousand of customers.

For the usual problems with ftp under NAT, we use ftp-proxy(). All works fine until we got a request from one customer with a problem: he can't download from some ftp servers in passive mode, got strange error 
	
	



```
425 Possible PASV port theft, cannot open data connection
```

So we began to investigate the reason, and found it. While ftp-proxy establishes control ftp connection from [one of the] server IP, data connection to ftp establishing with customer's external (due to binat) source address. Some ftp servers (based on wu-ftpd, probably) are paranoid and want the same source address in the data connection as in the control connection.

It can be easily seen with the tshark dump there: http://pastie.org/6347758 (FTP server IP is 15.193.112.22, NAT-server IP is  109.71.176.1, customer [external] IP is 93.92.199.139).

What can we do with it? Ftp-proxy, in my opinion, should respect existing (binat) address translation and work more tightly with pf in this aspect. Or I'm wrong? Linux NAT conntrack helper works like a charm and I consider it.


----------

