Subject: Re: Passive FTP through a filewall
To: Brian Hechinger <>
From: Todd Vierling <>
List: netbsd-users
Date: 08/09/2001 17:13:44
On Mon, 6 Aug 2001, Brian Hechinger wrote:

: ok, i'm having a difficult time getting this working.  i've got an ftp server
: sitting behind an IPFILTER box.

...From the way you're talking about it, it sounds like you have the FTP
server *inside* a NAT'ed network.  This is tricky business.

: and i'm using stock NetBSD ftpd.  for some reason though passive ftp from the
: outside still doesn't work.

ipf does not currently support this for passive inbound FTP (which is the
contrapositive of active outbound FTP - you're expecting the data connection
to be initiated *from the outside*).

A bimap is not enough; even if it equates an entire set of ports, you still
have the IP address to worry about.  The problem is that PASV responses
(just like PORT requests) contain an IP address, determined from
getsockname() on the control connection.

    227 Entering Passive Mode (204,152,184,75,203,199)

ipf has a hack that will auto-translate this for the "PORT" request of
active outbound FTP ("proxy port ftp" option), but not for passive inbound

You have three options here:

* Disallow passive transfers (set "passive none" in /etc/ftpd.conf).  This
  causes you to violate the FTP spec, and will break many Web browsers that
  cannot retry with active.

* Run a SOCKS5-ified ftpd with a SOCKS5 server on the NAT router, so that
  listening sockets will actually be opened on the NAT router with proper IP
  and port numbers.  This has CPU usage implications on the NAT router.

* Write a "proxy port ftp-server" translator for ipf, or beg the ipf author
  to do this.  8-)

-- Todd Vierling <>  *  Wasabi NetBSD:  Run with it.
-- NetBSD 1.5 now available on CD-ROM  --