netbsd-help: ipnat: ftp-proxy in other direction?

Subject: ipnat: ftp-proxy in other direction?
To: None <netbsd-help@netbsd.org>
From: Ingolf Steinbach <ingolf-200204@steinba.ch>
List: netbsd-help
Date: 04/28/2002 17:28:28

Hi,

among others, my /etc/ipnat.conf contains the lines
  map isp0 192.168.2.0/24 -> 0/32 proxy port ftp ftp/tcp
  rdr isp0 0/0 port 21 -> 192.168.2.5 port 21 tcp
(the 'rdr' line to allow ftp connections from external
hosts to one of the internal ones).

But it seems that this is not enough: An external FTP client
can connect, sees the greeting message and so on, but when
the server sends the 227 reply for a PASV command (received
from the client), the IP address in the reply is not
translated, i.e. I can see
  227 Entering Passive Mode (192,168,2,5,254,68)\r\n
on the external interface.

How should I modify my ipnat.conf to make this work (besides
disallowing passive mode in ftpd.conf)? (NetBSD/i386,
netbsd-1-5 branch as of 2002-04-12.)

TIA
    Ingolf