Hi,

On Tue, Feb 07, 2006 at 11:45:26AM -0500, der Mouse wrote:
> (What
> I really want is for the control connection address to be selected
> normally, same as for any other connection, but all data connections
> corresponding to it to use the same address.  It would be acceptable,
> albeit not ideal, for all FTP, control and data both, to always use the
> same external address.)

You'll probably can make all connections from each internal host to
always use the same external address easily.

I don't know how to make a NAT do what you want otherwise, unless
you have special code inside the NAT box that reads the control
connection data and sets the translation - exactly what you want
to avoid by not using ftp-proxy.

Given that, it might be easier for you to use ftp-proxy and "active"
connections.

Unless you want to write a passive-ftp-proxy module for pf, (or
ipf, or ipfw, or whatever your NAT software is).

Yes, that's inconvenient.  But well, NAT _does_ break the end-to-end
connectivity assumption that was the assumption behind the design of
a lot of IP applications, and ftp is just one of the victims.

Regards,
	-is
-- 
seal your e-mail: http://www.gnupg.org/