> It could be that the AAAA record is giving you problems. Do
> ftp4.netbsd.org and www4.netbsd.org work any better for you?

(In retrospect, that doesn't sound very probable, anyway...I _am_ able to
connect to the site.  It just hangs, e.g., with ftp at the ``230-\n''
response.  I don't understand exactly what the AAAA record is, but it
looks like a dns lookup request from tcpdump.  If that's all that it is,
then that's not really the (main?) problem.)


From watching tcpdump on both machines (hermes running ftp, and prometheus
running ipnat/ipf), it appears that the ftp server is trying to send some
kind of further message, but it never makes it to the client.

E.g.:

06:14:11.832050 ftp.netbsd.org.ftp >
 adsl-65-66-216-178.dsl.hstntx.swbell.net.65302: . ack 38 win 33580
 <nop,nop,timestamp 2012901 29433> [tos 0x10]
06:14:15.207638 ftp.netbsd.org.ftp >
 adsl-65-66-216-178.dsl.hstntx.swbell.net.65302: . 117:1077(960) ack 38
 win  33580 <nop,nop,timestamp 2012907 29433> (frag 35209:992@0+) [tos
 0x10]
06:14:15.210749 ftp.netbsd.org > adsl-65-66-216-178.dsl.hstntx.swbell.net:
 (frag 35209:488@992) [tos 0x10]


...is it significant that the incoming message is (as I understand it)
being put on port 65302?  ipnat is only mapping 40000:60000 to hermes.
Those 65302 messages don't seem to make it to the ftp client.

(Most of what I take to be port numbers in tcpdumps on my gateway's
interface are just a little bigger than 40000, as I would expect.  The
65??? numbers bother me a little.  (I tried rewriting my ipnat.conf and
reloading the rules to map 40000:65535 to hermes, with no discernable
change.)


  ``I probably don't know what I'm talking about.'' --rauch@math.rice.edu