At 10:30 PM +1100 10/12/00, Brad Forschinger wrote:
>if "map ae0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp" works for proxying
>internal outbound ftp, it'd make sense if "map ae0 0/32 -> 192.168.0.2/32
>proxy port ftp ftp/tcp" worked for mapping external inbound ftp traffic to a
>machine behind the nat gateway? or maybe "map sn0 ..."?

Incoming should not need a proxy, just knowledge of where the ftp 
server is and that it's OK to allow ftp in to it.  Try something like:

map ae0 0/32 port 20 -> 192.168.0.2/32

I think if you look at the FAQ for ipfilter that this case is 
discussed fairly early, though the example is for a web server rather 
than an FTP server.  One funny about FTP is that it uses two tcp 
streams, one for control and another for data.  Depending on the rest 
of your setup and whether you are using passive transfers you may 
need another line to allow the data connection through as well.


Signature held pending an ISO 9000 compliant
signature design and approval process.
h.b.hotz@jpl.nasa.gov, or hbhotz@oxy.edu