ftp-data and MASQerading

[Harry Behrens]

I have a question regarding how to set up ftp (non-PASV) and IP MASQerading: In order to masquerade incoming requests I normally use portfw (port forwarding). This of course necessitates a static mapping of external IP address/port to internal IP address/port. As ftp-data is also a client connection to an internal 'server' I have the following problem: My internal 'server' address changes (with each ftp connection). I therefore don't see how I can use MASQerading in this case. My internal addresses are all private (192.16.0.0/24): I cannot use routing. IPCHAINS is not 'stateful' so it does not allow for dynamic creation of rules based on an open connection from 192.168.0.0/24 to a ftp server. So: how do I enable ftp connections in an environment, where I use private addresses?? For reference I include the relevant rules of my firewall (which passes ftp control but not ftp data, i.e. I can connect but do not receive any data for example from ls etc.) Chain input (policy DENY): target prot opt source destination ports ACCEPT tcp !y---- !192.168.0.0/24 anywhere ftp -> any ACCEPT tcp ------ 192.168.0.0/24 anywhere any -> ftp ACCEPT tcp ------ !192.168.0.0/24 anywhere ftp-data -> any ACCEPT tcp !y---- 192.168.0.0/24 anywhere any -> ftp-data Chain forward (policy MASQ): target prot opt source destination ports Chain output (policy DENY): target prot opt source destination ports ACCEPT tcp ------ $EXTERNAL_IP anywhere any -> ftp ACCEPT tcp ------ $EXTERNAL_IP anywhere any -> ftp-data ACCEPT tcp !y---- anywhere 192.168.0.0/24 ftp -> any ACCEPT tcp ------ anywhere anywhere ftp-data -> any ACCEPT tcp !y---- anywhere anywhere any -> ftp-data Dr. Harry Behrens e-mail: [EMAIL PROTECTED] Information Engineering phone: +81.3.5489.7792 WintermuteTeknologies.com fax: +81.3.5489.7621 DoCoMo: 090.222.71520 - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]