You didn't list what rules (if any) you have applied to the public IP
you're bidir'ing on the outside.

You didn't mention that you're allowing port 21 traffic to get to the
inside ftp server.

In your description, it sounds like you're putting the ftp server
'inside' a filewall, and connecting with clients from outside? 

1) Hopefully you don't expect random clients to know they have to use
PASV. (i.e. this is for a 'private' ftp server, right?)

2) How is it failing? Connect, ls, and fail on get? Or fail to connect?

							David


On Mon, Aug 06, 2001 at 12:37:25AM -0400, Brian Hechinger wrote:
> ok, i'm having a difficult time getting this working.  i've got an ftp server
> sitting behind an IPFILTER box.
> 
> i've got this rule:
> 
> pass in quick proto tcp from any to 192.168.1.2/32 port 49152 >< 65535 flags S keep state
> 
> 192.168.1.2 is a bimap to a public address.
> 
> and if i look on my ftp server (1.5.1 on an alpha) i see:
> 
> $ /sbin/sysctl -a | grep port
> net.inet.ip.anonportmin = 49152
> net.inet.ip.anonportmax = 65535
> 
> and i'm using stock NetBSD ftpd.  for some reason though passive ftp from the
> outside still doesn't work.
> 
> am i overlooking something?
> 
> -brian

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville