Thanks!!  This did the trick! (Even under IE 5.5)

Gerry
simmons@darykon.cet.com


On Tues, Nov 27, 2001 Steven M. Bellovin wrote:
> 
> In message <200111271643.IAA00599@dakkon.darykon.cet.com>, "Gerald C. Simmons" 
> writes:
> >Has anyone run into this problem?
> >
> >I have a DSL link with an assigned IP subnet block from my ISP. I'm using a
> >NetBSD machine as a router/firewall using IPF. I have the following machines
> >as clients, Windows 2000, Windows NT 4.0, Windows ME, and Linux.
> >
> >I noticed recently, that when I use IE 5.5 on my Windows 2000 machine to go
> >into ftp.netbsd.org via www.netbsd.org, something happens and the ftp packets
> >back to my Windows 2000 machine get blocked.
> >
> >Nov 27 08:37:13 dakkon ipmon[141]: 08:37:12.496046
> >  ep1 @0:2 b ftp.netbsd.org,59891 -> derenai.darykon.cet.com,1162 PR tcp len
> >  20 60 -S IN 
> >
> >This actually hangs up IE 5.5 for about 3 minutes and it finally fails with a
> >timeout error.
> >
> >This doesn't happen with my Windows NT 4.0 box, or any of the others.
> 
> I believe that the problem is that the Windows box is using PORT mode 
> instead of PASV.  See RFC 1579 for details on the problem.  
> 
> You can reconfigure IE to use PASV mode.  I don't have IE 5.5 handy; on 
> 6.0, go to Tools|Internet Options|Advanced and check the box "Use 
> Passive FTP (for firewall and DSL modem capability)" under "Browsing".
> 
> You could also allow calls in to (most) ports >1024.  I don't recommend 
> that unless necessary.
> 
> Alternatively, use Netscape...
> 
> (Note:  ipnat.conf includes a proxy facility to handle PORT, but I 
> don't know of any comparable mechanism in ipf.conf.  Is there one?)
> 
> 		--Steve Bellovin, http://www.research.att.com/~smb
> 		Full text of "Firewalls" book now at http://www.wilyhacker.com
> 
> 
>