|
Example Network Topology:
FTP Client ---- FTP Proxy ---- Internet ---- 3.64.X.X (Firewall DNAT to 172.20.16.19) ---- FTP Server
Root Cause:
The issue arises during the FTP Passive (PASV) mode handshake. The server sends its local IP (172.20.16.19) in the 'PASV_reply' message instead of the external IP (3.64.X.X). The WAD tries to open a pinhole to this local IP, not to the public IP, resulting in connection failure.
Diagnostic:
[V] wad_ftp_pasv_reply_handler :1244 offer_ip=172.20.16.19 offer_port=59510
[I] __wad_ftp_session_proc_reply :722 forwarded reply to client: ftp cmd=PASV, reply code=227
The proxy forwards the server’s PASV reply to the client, which includes the local IP.
- Session and Pinhole Information.
Control session tuple: 10.5.135.136:13536 -> 3.64.X.X:21 vf 0 vrf 0
Expect session tuple: 10.5.135.136:0 -> 172.20.16.19:59502 (0.0.0.0:0) vf 0 vrf 0
Pinhole: TCP 10.5.135.136:0 -> 172.20.16.19:59501
The pinhole is opened to the local IP (172.20.16.19) instead of the external IP.
[I] wad_tcp_port_connect_with_fd :2261 TCP port=0x7f4a8a4ad568 sock=114 vrf=0 connecting 10.5.135.136:10392 -> 172.20.16.19:59500
The proxy attempts to connect to the local IP, leading to connection issues.
Why it is Working Without Proxy:
When connecting directly without the use of FTP proxy, FTP clients such as WinSCP, automatically ignore the local IP provided in the PASV reply and connect to the public IP address instead. This behavior ensures successful communication.
|
