NFTP behind the firewall
NFTP can be used if your machine is located behind a firewall (for brevity,
ordinary proxies such as Squid will be called firewalls too). There
are several kinds of firewalls (and may be even other types not documented
here). Unfortunately, I cannot test NFTP with all types of firewalls because
I don't have them all. So I have to rely on independent testers. If NFTP does not
work with your firewall software, please contact me and I will try to fix
the situation. I would also appreciate your report about whether NFTP works
with your firewall, how your firewall software is called and to what type
it belongs.
To configure NFTP to be used through firewall,
decide what type your firewall is (see below), and then edit NFTP.INI
setting appropriate variables in the [firewalling]
section:
Variable | Value
|
---|
firewall-type
| Put here a type of firewall (number) as described above. 0 means no
firewalling support and is the default. If you aren't sure, try everything
from 1 to 4 and see if that works.
|
firewall-host
| This is the name of your firewall machine
|
firewall-login
| This is your login on the firewall. Only needed for types 1 and 2
|
firewall-password
| Your password on the firewall. Only needed for types 1 and 2.
Please be careful; put your password here only when absolutely sure
that no one other than you can look at this file.
|
firewall-port
| The firewall port to connect to. Usually not needed (i.e. default value
of 21 is used); your local administrator will tell you if you need it
|
use-PASV-mode
| This setting is used with router-based firewalls; it forces NFTP into
passive mode. The default mode of establishing data connection (also called
PORT mode) assumes that connection is made from server to client.
Sometimes this way is not allowed due to security reasons and use of
passive mode is required. Passive mode means that data connection
is established by client, not server. Typically it has no effect on FTP
features or performance; in the past there were some FTP servers which
did not work in passive mode or handled it poorly, but virtually any
modern FTP server implementation works fine in passive mode. Sometimes
you would need to switch it on together with another firewall support:
e.g., if you are connected to the Internet via WinGate (firewall type=3)
and your proxy machine (which runs WinGate) is connected via Slirp (which
is also a proxy), you'll need to set firewall-type=3 and
use-PASV-mode=yes
|
fwbug1
| There exist a firewall which is of type 3 but does not want USER keyword
on login. Set fwbug1 to "yes" for it
|
Starting with version 1.51, firewall support can be switched on/off on-the-fly.
For example, you can browse remote site directly, then switch on Squid proxy
and start a long download via it (browsing via Squid is slower than working
directly because Squid will establish new connection for every directory listing).
You can't configure several firewalls at
once; NFTP supports only one firewall at a time (or no firewalls at all).
However, you can turn on passive mode together with enabling firewall of type 1-4.
Starting with version 1.60 (not available yet), passive mode is set via
"Options|Passive mode" menu entry.
Therefore you can turn it on/off on-the-fly, without editing nftp.ini.
use-PASV-mode is now obsolete and does not work.
Below are firewall types supported by NFTP and configuration-specific notes.
1. SITE hostname
Firewall host, userid and password are required.
User is logged on the firewall and the remote connection is
established using
SITE remote_host
2. USER after logon
Firewall host, userid and password are required.
User is logged on the firewall and the remote connection is
established using
USER remote_userid@remote_host
3. USER with no logon
Firewall host required, userid and password are not needed.
USER remote_userid@remote_host
is sent to firewall upon initial
connection. This is quite popular type of firewall (examples are
DeleGate, WinGate, IGate)
4. Proxy OPEN
Firewall host required, userid and password are ignored.
OPEN remote_host
is sent to firewall upon initial connection.
5. HTTP proxy (Squid)
Currently, only Squid and Netscape SuiteSpot server
are supported. You have to specify `firewall-host'
and port (typically 3128 for Squid). Both Squid 1.x and 2.x are supported;
my tests were done on 1.1.22 and 2.1-RELEASE. For best results it is
recommended (but of course not necessary) to apply a patch to Squid sources
before compiling it. The patch is available from
ftp://ftp.ayukov.com/pub/nftp;
instructions are inside. It will force Squid to report file size in bytes
for NFTP instead of kilobytes; this makes file sizes in NFTP precise instead
of rounded. Restarting transfers through Squid is not yet supported, and
some features are not available via Squid; these include making
directories, renaming and deleting files. Uploading and authentication are
supported since NFTP version 1.60.
All transfers are made in binary mode.
With Squid, there's no such thing as 'permanent connection to server', and
you can't verify connection aliveness or send verbatim commands to server.
6. Check Point FireWall-1 Secure FTP server
The connection is made by sending
USER remote_userid@firewall_userid@remote_host
PASS remote_password@firewall_password
Working through SOCKS
NFTP does not yet have built-in SOCKS. On OS/2, you can use system-wide
SOCKS support which is available since OS/2 version 4.0. Set it up in TCP/IP
configuration notebook
and NFTP will automagically work with it. Under Windows,
SocksCap is reported to
work fine as system-wide SOCKS layer. Another free SOCKS package is
available
from Hummingbird. Under Unix and BeOS, SOCKS is not yet
supported. It have been reported that runsocks (Unix SOCKSifier) works
with NFTP.
NFTP home page //
Send comment