At 08:14 PM 10/4/99 -0500, Bob Nestor wrote:
>Interesting and I'm not disputing the documentation or the recomendation. 
> What has me confused is this is my setup, and it works:
>
>map sn0 192.168.1.1/28 -> 0.0.0.0/32 portmap tcp/udp 1025:65535
>map sn0 192.168.1.1/28 -> 0.0.0.0/32
>map sn0 192.168.1.1/28 -> 0.0.0.0/32 proxy port 21 ftp/tcp
>
>I got this off some documentation about a year ago when I set my system 
>up and it has never given me a problem.  Obviously the 0.0.0.0 IP address 
>is dynamically updated when my link comes up.  The only difference I see 
>between my setup and the non-working one is the tcp/udp port range.  
>Could this be causing a problem?

Are you sure that you're 1) testing from a machine *behind* the NAT box
(not the NAT box itself), and 2) the FTP client on that box is using
non-passive ftp? If the answer to either of these is false, then you aren't
really testing the ftpproxy stuff - normal "dumb" NAT can handle passive
ftp with no extra help needed. 

I have a machine loaded with NetBSD about a year old, and its ftp proxy
doesn't work with *either* ordering. I recall hearing that ftpproxy was
broken in IPFilter around that time (and has been fixed since) so I never
actually expected it to work, but it hasn't been important enough to
upgrade the machine yet, as I mostly use ftp clients on the NetBSD box
itself rather than on the machines on the backside network.