Fuzzy Fox wrote: > In normal port-mode FTP, the client asks the server to make a connection > back to it, on a port chosen by the client, in some high-port range. > > In passive FTP, the client asks the server for a random port number that > it should make a connection to, and then connects to that port on the > server. Thanks a lot for the clarification. > Your particular forward ruleset is too restrictive, and is denying the > outbound connection that your masq'd client is trying to make. The > client asked the server for a port, using the PASV command, and the > server responded that the client should connect to it on port 4284 > (randomly chosen). Your client then attempted that connection, and was > denied by your masq firewall. > > In order for a PASV connection to succeed, you must allow outbound > connections between any random ports 1024:65535 going from your client > to a remote server. That's the point! I was trying to set up a firewall with pretty restrictive IP filtering and IP masquerading. But now it appears to me that passive FTP completely undermines my efforts. Is there a way to get around this problem, e.g. setting up a loose forward rule but more strict in and out rules? (I tried the other way round: loose rules for in and out but strict forward rules.) Gerd --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]