Subject: Firewall, NAT and FTP
To: None <netbsd-users@netbsd.org>
From: Arto Huusko <arto.huusko@utu.fi>
List: netbsd-users
Date: 07/02/2001 17:21:51
Hi all,

What I'm trying to make work is an active ftp connection from behind
a firewall and NAT to ftp.sunet.se. And yes, the target machine is
important. I have my setup working very well, as it is. And active
FTP connections are working. But not to ftp.sunet.se.

After examining things and stuff for a while, I finally realised what
the trouble is (or what I think it is). Ftp.sunet.se resolves to
194.71.11.40. I set ipf to log blocked packets, and started active
ftp connection to sunet. I logged in anonymous (login works, nothing
after that) and witnessed the following line in ipmon output:

<timestamp> ne1 @0:3 b 194.71.11.20,21 -> <my-ip>,65516 PR tcp len 20 51717 -A IN

So the connection active ftp sends my way comes from different
address.

Is that the actual problem?

And is there any solution to this?

Even if I disable my firewall, I still can't get connections from
NATted addresses. On the other hand, even with the firewall up,
active ftp works from the firewall box always.

-- 
Arto Huusko