> > >From watching tcpdump on both machines (hermes running ftp, and prometheus
> > running ipnat/ipf), it appears that the ftp server is trying to send some
> > kind of further message, but it never makes it to the client.
> >
> > E.g.:
> >
> > 06:14:11.832050 ftp.netbsd.org.ftp >
> >  adsl-65-66-216-178.dsl.hstntx.swbell.net.65302: . ack 38 win 33580
> >  <nop,nop,timestamp 2012901 29433> [tos 0x10]
> > 06:14:15.207638 ftp.netbsd.org.ftp >
> >  adsl-65-66-216-178.dsl.hstntx.swbell.net.65302: . 117:1077(960) ack 38
> >  win  33580 <nop,nop,timestamp 2012907 29433> (frag 35209:992@0+) [tos
> >  0x10]
> > 06:14:15.210749 ftp.netbsd.org > adsl-65-66-216-178.dsl.hstntx.swbell.net:
> >  (frag 35209:488@992) [tos 0x10]
> >
> >
> > ...is it significant that the incoming message is (as I understand it)
> > being put on port 65302?  ipnat is only mapping 40000:60000 to hermes.
> > Those 65302 messages don't seem to make it to the ftp client.
>
> It's not a problem with the port number. however it could be a problen with
> fragments. Are you sure you don't block fragments in IPF ?

Not unless:

(a) ipf blocks these by default.

(b) ipnat tells ipf to start blocking these.


At the suggestion of the NetBSD Guide, I created an (empty)
/etc/ipf.conf file and ran ipf (without parameters) prior to running
ipnat.  Up till now, I've focused exclusively on ipnat---blocking packets
may be worth doing eventually, but I'd like to get things doing what they
should do before I worry about making things _not_ work.


  ``I probably don't know what I'm talking about.'' --rauch@math.rice.edu