>> (What I really want is for the control connection address to be
>> selected normally, same as for any other connection, but all data
>> connections corresponding to it to use the same address.  It would
>> be acceptable, albeit not ideal, for all FTP, control and data both,
>> to always use the same external address.)

> Given that, it might be easier for you to use ftp-proxy and "active"
> connections.

Perhaps, except that I don't think that will work; it looks to me as
though ftp-proxy will draw a random address for its data connection
socket, so the server will see the PORT command naming a different
address from the one in use for the control connection.

If I use ftp-proxy -S, that's "fixed", but, based on the code, it looks
to me as though it will break passive connections, because ftp-proxy
*always* uses the -S address when setting up connections, even when
they're going in the wrong direction.

> Unless you want to write a passive-ftp-proxy module for pf, (or ipf,
> or ipfw, or whatever your NAT software is).

pf.  I've considered writing an ftp-proxy that gets addresses right (in
this regard) in both directions, which it looks as though the stock one
won't - though that's based on reading the code; I haven't actually got
round to trying it yet, so it's possible something else kicks in to fix
up ftp-proxy's sins in that regard.  I should scare up a couple of
spare machines and actually try it out.

> Yes, that's inconvenient.  But well, NAT _does_ break the end-to-end
> connectivity assumption that was the assumption behind the design of
> a lot of IP applications, and ftp is just one of the victims.

Yes, I know.  It's always struck me as stupid to deliberately break one
of the fundamental assumptions underlying IP networking and then go to
great lengths to try to paper over the resulting problems (and even
then, only the most blatant of them actually get "fixed").

But that's what $DAYJOB wants, so that's what I'm trying to do. :-þ
While I think it's wrong, I don't think it's so deeply wrong that I'm
unwilling to do it when paid to.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B