SafeTP is (was?) "a revolutionary new security application for Windows and UNIX users who use FTP (File Transfer Protocol) to connect to their accounts on UNIX or NT/2000 FTP servers." Basically, SafeTP tunnels FTP control and data channels over a secure channel. (Similar to SSH, but it is a different protocol!) I'm sure not sure if anyone still supports it, but I know a couple people out there still run it. The basic problem is that any SafeTP client can get the SafeTP server to cough up an internal IP address if passive mode transfers are required in a NAT environment. For example, check out the "227 Entering Passive Mode (10,7,34,85,5,133)" entry in the log below. (169.229.60.94 is the public/external IP address - 10.7.34.85 is the internal IP address.) D:\OSOmissions\snort\rules>ftps safetp.nowhere.com 220-SafeTP: Negotiating FTP connection... 220-safetp.nowhere.com X2 WS_FTP Server 3.1.0 (1506847632) 220-Changed to Protect the Innocent 220-safetp.nowhere.com X2 WS_FTP Server 3.1.0 (1506847632) 220-*** This server can accept secure (encrypted) connections. *** 220-*** See http://safetp.cs.berkeley.edu for info. *** 220 SafeTP: Control channel secure: X-SafeTP1. Data channel secure. PBSZ=32801b Connected to safetp.nowhere.com. User: SomeUser 331 Password required Password: ********* 230-user logged in 230-Hello Some User. Welcome to the SafeTP File Transfer System! 230 user logged in ftp> ls 200 PORT command ok. Timed out waiting for connection from server. ftp> passive Passive mode On . ftp> ls 425 Failed to connect to 192.168.3.162, port 3303: connect: Connection timed out (code 10060) ftp> passive Draining: 510 Assertion failed: ftpd reply: 150 Opening ASCII data connection fo r directory listing Draining: 227 Entering Passive Mode (10,7,34,85,5,133). Passive mode Off . ftp> put tendot.txt 227 Entering passive mode (169,229,60,94,156,186). 150 Opening ASCII data connection for tendot.txt 226 transfer complete ftp: 1094 bytes sent in 0.98Seconds 1.09Kbytes/sec. ftp> quit 221-Good-Bye 221-Goodbye Some User. Thank you for visiting the SafeTP File Transfer System! 221 Good-Bye I'm not 100% sure of this, but SafeTP is probably interpreting FTP commands as they go by (as do most NAT devices these days) and changing internal IPs into external IPs. (I think this occurs if you if invoke the server daemon with the "-i" flag?). It looks like if you can stack the message queues just right, you can get SafeTP to forget to do NAT. Although this bug appears to be mostly harmless, there may be applications for it more devious minds can figure out... * * * Vendor Notification: I sent email messages to all the listed support contacts (Dan Bonachea - Windows software - bonachea@cs.berkeley.edu and Scott McPeak - UNIX software - smcpeak@cs.berkeley.edu), and asked another long-time user to do the same. Neither of us got any response after a few weeks. -jgl