Hi - I checked the list archive on this subject before posting, with no luck. I've just set up a gateway box using masquerading to provide our local net with client access to the Internet, and using ipportfw to provide outside access to FTP and Web servers on the protected net. It's *mostly* working as expected, with one exception: When an external FTP client connected to the FTP server goes into passive mode, transfers (DIR, GET, ...) hang and timeout. Apparently, the data transfer uses a socket that is not being forwarded/masqed properly. After some spade-work, I now understand why it doesn't work. This is the same problem the ip_masq_ftp module solves for masqeraded clients, but in reverse. In my case it is the client that's out on the network, and the server that is masqed on my local network. When the outside client requests PASV mode, the server replies "227 Entering Passive Mode (xxx,xxx,xxx,xxx,ppp,ppp)", where xxx.xxx.xxx.xxx is its unroutable local IP. The client then fails to connect to this IP/port (of course). So for this to work ip_masq_ftp (or something like it) needs to translate these response packets in *outgoing* traffic. Looking at the code, ip_masq_ftp *does* seem to be checking for these reponse packets, but I think it is only seeing packets with a *destination* port of 21 (ftp). To handle the masqed FTP server's response to the client's PASV command, it would have to process outgoing packets whose *source* port is 21. Is this possible? But if I understand correctly, I don't see why ip_masq_ftp is checking for PASV responses at all. They will never be sent to port 21, they will be sent to a 1024-65535 port selected by the client, so ip_masq_ftp can never see them. I can't be the first one to try to set up an FTP server on a masqueraded host, surely. I must be missing something obvious... - Fred Viles <mailto:[EMAIL PROTECTED]> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] For daily digest info, email [EMAIL PROTECTED]
