tech-net: ipnat - ftp-proxy not working

Subject: ipnat - ftp-proxy not working
To: None <tech-net@netbsd.org>
From: Fabian Duelli <fabian.duelli@piping.georgfischer.com>
List: tech-net
Date: 07/30/2004 15:12:56
Hello,

I'm using NetBSD 1.6.2 as a firewall with 3 nics (DMZ[ex0], LAN[ex1],
INET[tlp0]).
The connection to the Internet is PPPoE.

The problem I have is that active mode ftp is not working through
ipnat's ftp-proxy.

When I connect from LAN(192.168.0.10) to any ftp server out there, with
active mode, and do a 'ls' I get:

	500 EPRT not understood
	421 Service not available, remote server has closed connection.

In my firewall log file I see:

---
30/07/2004 15:01:08.598915 pppoe0 @0:46 b xxx.xxx.xxx.xxx,ftp -> 
192.168.0.10,32083 PR tcp len 20 120 -AFP IN
---

My ipnat.conf:

---
map pppoe0 192.168.0.0/24 -> 0/32 proxy port ftp ftp/tcp mssclamp 1400
map pppoe0 192.168.0.0/24 -> 0/32 portmap tcp/udp 40000:60000 mssclamp 1400
map pppoe0 192.168.0.0/24 -> 0/32 mssclamp 1400
---

My ipfilter rules have no influence on this behavior, except the logging.

My ifconfig -a output:

ex0: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         capabilities=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
         enabled=0<>
         address: 00:10:5a:e2:98:cd
         media: Ethernet autoselect (100baseTX full-duplex)
         status: active
         inet xxx.xxx.xxx.211 netmask 0xfffffff0 broadcast xxx.xxx.xxx.223
         inet6 fe80::210:5aff:fee2:98cd%ex0 prefixlen 64 scopeid 0x1
tlp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         address: 00:03:6d:13:54:43
         media: Ethernet autoselect (100baseTX full-duplex)
         status: active
         inet6 fe80::203:6dff:fe13:5443%tlp0 prefixlen 64 scopeid 0x2
ex1: flags=8863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST> mtu 1500
         capabilities=7<IP4CSUM,TCP4CSUM,UDP4CSUM>
         enabled=0<>
         address: 00:10:5a:e2:9c:45
         media: Ethernet autoselect (100baseTX full-duplex)
         status: active
         inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
         inet6 fe80::210:5aff:fee2:9c45%ex1 prefixlen 64 scopeid 0x3
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 33220
         inet 127.0.0.1 netmask 0xff000000
         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
         inet6 ::1 prefixlen 128
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
sl1: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 296
strip0: flags=0<> mtu 1100
strip1: flags=0<> mtu 1100
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1400
         inet xxx.xxx.xxx.80 -> xxx.xxx.xxx.1 netmask 0xff000000
         inet6 fe80::210:5aff:fee2:98cd%pppoe0 -> :: prefixlen 64 
scopeid 0xb

Thank you for your time.

			-Fabian