Passive FTP sees remote's _internal_ IP!!??

Maxime Ducharme mducharme at
Tue Nov 28 19:09:48 CET 2006

> SonicWALL does fix this, and we also would REALLY like to know how!!  At
> the present time, our only "solution" is to reconfigure the clients to
> gateway to the SonicWALL because everyone's browser only does passive
> FTP.

I have an idea on how SonicWALL fix this, maybe it
is programmed to detect badly configured FTP replies
and correct them itself by replacing the PASV x.x.x.x
command with the source IP found in the IP packet

something like :

if ip.sourceIP != ftp.reply.passiveIP then
  ftp.reply.passiveIP = ip.sourceIP

I dont think iptables can do that, correct me if i'm wrong

I see you got a workaround, happy to hear this :)

Have a nice day


More information about the netfilter mailing list