On 07/14/2005 09:42:49 PM, [EMAIL PROTECTED] wrote:
In my configuration there is a problem providing publicly-accessible
anonymous
FTP service.
In particular, my public FTP address is advertised to be at .197, and
the rules
are configured for ftpd to answer requests on that address. General
outgoing
NAT is mapped to .199 with this command:
nat on $ext_if1 from $lan_net to any -> a.b.c.199
Control connections work fine. But when ftpd attempts to make a data
connection
with the client, the source address is mapped to .199.
If there was
a NAT option
to
qualify by user or service I might be able to make a new NAT rule that
would
translate to the proper address first.
Any suggestions as to how to configure this behaviour in a workable
arrangement
?
How about
no nat on $ext_if1 from a.b.c.197 to any
nat on $ext_if1 from $lan_net to any
Otherwise, you need to use ftp-proxy(8) so that the ftp control
connection payloads get mangled "in sync" with the natting
you've got going on. You can't just nat ftp because the
the control connection tells the client what ports are used,
at least with active ftp which is probably where you've got problems.
IIRC.
Karl <[EMAIL PROTECTED]>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
