On Thu, 6 Dec 2001, Richard Rauch wrote:

> > It could be that the AAAA record is giving you problems. Do
> > ftp4.netbsd.org and www4.netbsd.org work any better for you?
>
> (In retrospect, that doesn't sound very probable, anyway...I _am_ able to
> connect to the site.  It just hangs, e.g., with ftp at the ``230-\n''
> response.  I don't understand exactly what the AAAA record is, but it
> looks like a dns lookup request from tcpdump.  If that's all that it is,
> then that's not really the (main?) problem.)

No, the AAAA record is it's IPv6 address. Someone recently complained on
comp.unix.bsd.netbsd.misc that his system would only attempt to connect
over the 6bone, and fail. Evidently that's not your problem.

> >From watching tcpdump on both machines (hermes running ftp, and prometheus
> running ipnat/ipf), it appears that the ftp server is trying to send some
> kind of further message, but it never makes it to the client.
>
> E.g.:
>
> 06:14:11.832050 ftp.netbsd.org.ftp >
>  adsl-65-66-216-178.dsl.hstntx.swbell.net.65302: . ack 38 win 33580
>  <nop,nop,timestamp 2012901 29433> [tos 0x10]
> 06:14:15.207638 ftp.netbsd.org.ftp >
>  adsl-65-66-216-178.dsl.hstntx.swbell.net.65302: . 117:1077(960) ack 38
>  win  33580 <nop,nop,timestamp 2012907 29433> (frag 35209:992@0+) [tos
>  0x10]
> 06:14:15.210749 ftp.netbsd.org > adsl-65-66-216-178.dsl.hstntx.swbell.net:
>  (frag 35209:488@992) [tos 0x10]
>
> ...is it significant that the incoming message is (as I understand it)
> being put on port 65302?  ipnat is only mapping 40000:60000 to hermes.
> Those 65302 messages don't seem to make it to the ftp client.

It looks like the NAT host is trying to make an ftp connection. The NAT
doesn't even kick in unless some host *behind* *it* tries to makes an
outgoing connection. If you can't even connect from the host running the
NAT, something else is wrong. Do you have ipfilter set up to block by
default?


Frederick