netbsd-users: Re: Problem with Window 2000->IE 5.5->ftp://ftp.netbsd.org and IPF

Subject: Re: Problem with Window 2000->IE 5.5->ftp://ftp.netbsd.org and IPF
To: Gerald C. Simmons <simmons@darykon.cet.com>
From: David Maxwell <david@vex.net>
List: netbsd-users
Date: 11/28/2001 11:52:48

On Tue, Nov 27, 2001 at 12:18:07PM -0800, Gerald C. Simmons wrote:
> On Tue, Nov 27, 2001 David Maxwell wrote:
> >
> > I don't see any mention of NAT below, just a 'subnet block', which would
> > sound like a purely routed setup.
> 
> You got it! No NAT. IPSEC and Tunneling don't seem to like it, so I've leased
> a subnet block.
> 
> Here's my IPF.conf:
> 
> #	ipf.conf, v 0.1 2001/05/17  07:05:31  simmons Exp $

You're doing everything with keep state rules, which means that the
connection back to your client (when using active ftp) from the server's
ftp-data port, is going to be blocked. If you log with ipmon, you should
be able to spot those blocked packets in your logs.

I'm not aware of a way to do active ftp packet inspection (and port
opening) in ipf, except in a Nat environment.

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
Any sufficiently advanced Common Sense will seem like magic... 
					      - me