On Tue, Nov 27, 2001 at 01:30:14PM -0500, Steven M. Bellovin wrote:
> 
> I believe that the problem is that the Windows box is using PORT mode 
> instead of PASV.  See RFC 1579 for details on the problem.  
> 
> You can reconfigure IE to use PASV mode.  I don't have IE 5.5 handy; on 
> 6.0, go to Tools|Internet Options|Advanced and check the box "Use 
> Passive FTP (for firewall and DSL modem capability)" under "Browsing".
> 
> You could also allow calls in to (most) ports >1024.  I don't recommend 
> that unless necessary.
> 
> Alternatively, use Netscape...
> 
> (Note:  ipnat.conf includes a proxy facility to handle PORT, but I 
> don't know of any comparable mechanism in ipf.conf.  Is there one?)

From http://www.obfuscation.org/ipf/ipf-howto.txt:


	4.7.  Magic Hidden Within NAT; Application Proxies
	
	     Since  ipnat  provides  a  method to rewrite packets as
	they traverse the firewall, it becomes a convenient place to
	build  in some application level proxies to make up for well
	known deficiencies of that  application  and  typical  fire-
	walls.   For  example;  FTP.    We can make our firewall pay
	attention to the packets going across it and when it notices
	that  it's  dealing with an Active FTP session, it can write
	itself some temporary rules, much  like  what  happens  with
	keep  state,  so that the FTP data connection works.   To do
	this, we use a rule like so:
	
	   map tun0 192.168.1.0/24 -> 20.20.20.1/32 proxy port ftp ftp/tcp
	
	You must always remember to place this proxy rule before any
	portmap  rules,  otherwise  when  portmap  comes  along  and
	matches the packet and rewrites it before the proxy  gets  a
	chance  to work on it.  Remember that ipnat rules are first-
	match.


I use 'ipf' for localhost filtering, and run 'ipnat' with just the rule

	map le0 0/0 -> 0/32 proxy port 21 ftp/tcp

Active mode FTP works fine.

David S.