Chapter 8 – Frequently Asked Questions (FAQs)
Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D)
137
This rule allows the FTP server to make outgoing connections to clients, thus enabling the PORT command.
Any PASV_Range FTP_Server Allow
This rule allows connections from clients to the passive port range of the FTP server (needed to make passive mode
work).
Add the DNAT rules. Go to
Network Setup > DNAT
and add the following definitions:
ASL_extern FTP_ALTControl FTP_Server FTP_ALTControl
ASL_extern PASV_Range FTP_Server PASV_Range
The RouteFinder setup is done. However, the FTP server does not know that it is placed behind a DNAT firewall, and
thus will give out his 192.168.1.10 address when replying to a PASV command. In addition, we must tell it only to use
the ports in our PASV_Range for passive connections.
Nearly all FTP servers have configuration options to set the IP and port range used for passive mode. In this case
with
glftpd
, these are the options:
pasv_addr 1.2.3.4 1
pasv_ports 3000 4000
See
glftpd.docs
for more info on those configuration options, or check the docs of your particular FTP server if you
use another daemon.
Q24. Do I need to add routes for my connected networks?
A24.
No, you never have to add routes for networks in which your RouteFinder is a member. These so-called "Interface
Routes" are automatically added by the RouteFinder itself.
Q25. I have DNAT set up but I cannot connect to the translated services. What's up?
A25.
You may need to set packet filter rules to allow the traffic. When using DNAT, you must allow the traffic according to
the characteristics BEFORE the translation.
For example:
If you translate
1.2.3.4:80
into
192.168.1.10:80
, you must allow
Any->1.2.3.4 port 80 TCP
(http).
When using SNAT, you must allow the traffic according to the characteristics after the translation. For example:
If you translate
SRC 192.168.10.1
into
SRC 1.2.10.1
, you must allow
1.2.10.1 -> any -> any
.
(Note that these are examples only!)
Q26. What does SOCKS stand for?
A26.
SOCK-et-S was an internal development name that remained after release.
Q27. How is SOCKS V5 different from SOCKS V4?
A27.
SOCKS V4 does not support authentication and UDP proxy. SOCKS V5 supports a variety of authentication methods
and UDP proxy.
Q28. Does SOCKS V5 work with SOCKS V4?
A28.
The SOCKS V5 protocol does not support SOCKS V4 protocol.
Q29. Where can I get SOCKS?
A29.
SOCKS V4 implementation is available through anonymous ftp from
ftp://ftp.nec.com:/pub/socks/
. NEC's SOCKS V5
Both packages include clients for
telnet, ftp, finger,
and
whois
.
Other clients are available at
ftp://ftp.nec.com:/pub/socks/
Q30. Are there any SOCKS-related mailing lists?
A30.
Yes, there are SOCKS-related mailing lists for socks, socks5, and sockscap. To join the SOCKS mailing list, send an
email message to:
with no subject line and a one line body: subscribe <mailing-list>
<[email protected]>
Correspond with members of the list by sending email to:
<mailing-list>@socks.nec.com
.
All three mailing lists are archived at /mail/socks/, /mail/socks5/, and
/mail/sockscap/ .
Q31. Does SOCKS handle UDP?
A31.
SOCKS V5 does, SOCKS V4 does not. NEC's SOCKS V5 Reference Implementation includes a socksified archie
client program that is a UDP application.
Q32. How does SOCKS interact with DNS?
A32.
For SOCKS version 4.2 and earlier, SOCKS V4 clients MUST resolve local and Internet host IP addresses. Configure
DNS so that the SOCKS clients' resolver can resolve the addresses. Multiple DNS servers require special
arrangements.
For the extended SOCKS version 4.3, SOCKS V4 clients can pass the unresolved addresses to the SOCKS V4
extended servers for resolution.
For SOCKS V5, the clients can pass unresolved host names to SOCKS V5 servers to resolve. SOCKS will work if the
SOCKS V5 client or SOCKS V5 servers can resolve a host.