From owner-freebsd-net@FreeBSD.ORG  Mon Feb  8 22:10:00 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 87AE5106568D
	for <net@freebsd.org>; Mon,  8 Feb 2010 22:10:00 +0000 (UTC)
	(envelope-from brett@lariat.net)
Received: from lariat.net (lariat.net [66.119.58.2])
	by mx1.freebsd.org (Postfix) with ESMTP id 0AB688FC1C
	for <net@freebsd.org>; Mon,  8 Feb 2010 22:09:59 +0000 (UTC)
Received: from anne-o1dpaayth1.lariat.net (IDENT:ppp1000.lariat.net@lariat.net
	[66.119.58.2]) by lariat.net (8.9.3/8.9.3) with ESMTP id PAA28420
	for <net@freebsd.org>; Mon, 8 Feb 2010 15:09:56 -0700 (MST)
Message-Id: <201002082209.PAA28420@lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Mon, 08 Feb 2010 15:09:50 -0700
To: net@freebsd.org
From: Brett Glass <brett@lariat.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: 
Subject: IPFW firewall NAT, port address translation, and "active" FTP
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2010 22:10:00 -0000

Everyone:

I've just attempted to build a router using FreeBSD 8.0 with IPFW's 
firewall NAT. I've included the following NAT parameters:

ipfw nat 123 config if xl0 log redirect_port tcp 10.0.1.99:21 21 
redirect_port tcp 10.0.1.99:20 20

Note that, among other things, incoming FTP is redirected to the 
host at 10.0.1.99 inside the firewall.

The problem we're having is that users are having trouble reaching 
the FTP server with some clients -- in particular, Microsoft 
Internet Exploder. (I don't WANT them to be using IE, but I do not 
have control over this.) Does anyone know if I need to set anything 
special to make the firewall track FTP data ports?

--Brett Glass