For example, my own cable provider: the default gateway is 82.x.x.1 with mac 0:0:5e:0:1:2a (that's in my arp table).
zigzag$ sudo tcpdump -i fxp0 -env tcp and port 21 and \( tcp[13] = 2 or tcp[13] = 18 \)
tcpdump: listening on fxp0
01:03:25.793122 0:90:27:d6:26:14 0:0:5e:0:1:2a 0800 78: 82.x.x.x.18768 > 194.109.21.26.21: S
^^^^^^^^^^^^^
01:03:25.805642 0:f:8f:7e:de:0 0:90:27:d6:26:14 0800 74: 194.109.21.26.21 > 82.x.x.x.18768: S <snip> ack
^^^^^^^^^^^^^^
This is what I got:
[EMAIL PROTECTED] (/opt/pf/) 457> tcpdump -i fxp0 -env 'tcp and port 21 and ( tcp[13] = 2 or tcp[13] = 18)'
tcpdump: listening on fxp0
01:29:17.171159 0:4:de:51:b8:ff 0:7:e9:d4:a4:51 0800 74: 68.109.79.179.33205 > 199.165.161.6.21: S
01:29:17.172320 0:7:e9:d4:a4:51 0:0:c:7:ac:0 0800 74: 199.165.161.6.21 > 68.109.79.179.33205: S
I'm not familiar enough with "tcp[13]" but that's all I see - I don't see any more of the ftp session. However, with a 'tcpdump host 68.109.79.179', I see much more.
I'll probably remove the layer-2 spoof prevention from the next release, for this reason (contact me if you'd like to try it sooner).
I'm game to try. If that doesn't fix it, I'll end up running an instance of ftpsesame for each inside interface that has an FTP server.
