In message <200111271643.IAA00599@dakkon.darykon.cet.com>, "Gerald C. Simmons" 
writes:
>Has anyone run into this problem?
>
>I have a DSL link with an assigned IP subnet block from my ISP. I'm using a
>NetBSD machine as a router/firewall using IPF. I have the following machines
>as clients, Windows 2000, Windows NT 4.0, Windows ME, and Linux.
>
>I noticed recently, that when I use IE 5.5 on my Windows 2000 machine to go
>into ftp.netbsd.org via www.netbsd.org, something happens and the ftp packets
>back to my Windows 2000 machine get blocked.
>
>Nov 27 08:37:13 dakkon ipmon[141]: 08:37:12.496046
>  ep1 @0:2 b ftp.netbsd.org,59891 -> derenai.darykon.cet.com,1162 PR tcp len
>  20 60 -S IN 
>
>This actually hangs up IE 5.5 for about 3 minutes and it finally fails with a
>timeout error.
>
>This doesn't happen with my Windows NT 4.0 box, or any of the others.

I believe that the problem is that the Windows box is using PORT mode 
instead of PASV.  See RFC 1579 for details on the problem.  

You can reconfigure IE to use PASV mode.  I don't have IE 5.5 handy; on 
6.0, go to Tools|Internet Options|Advanced and check the box "Use 
Passive FTP (for firewall and DSL modem capability)" under "Browsing".

You could also allow calls in to (most) ports >1024.  I don't recommend 
that unless necessary.

Alternatively, use Netscape...

(Note:  ipnat.conf includes a proxy facility to handle PORT, but I 
don't know of any comparable mechanism in ipf.conf.  Is there one?)

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com