From owner-freebsd-ipfw@FreeBSD.ORG  Sat Sep 10 15:20:35 2005
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8431816A41F
	for <freebsd-ipfw@freebsd.org>; Sat, 10 Sep 2005 15:20:35 +0000 (GMT)
	(envelope-from cswiger@mac.com)
Received: from vms044pub.verizon.net (vms044pub.verizon.net [206.46.252.44])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 40D2A43D46
	for <freebsd-ipfw@freebsd.org>; Sat, 10 Sep 2005 15:20:35 +0000 (GMT)
	(envelope-from cswiger@mac.com)
Received: from [192.168.1.3] ([68.161.79.217])
	by vms044.mailsrvcs.net (Sun Java System Messaging Server 6.2 HotFix
	0.04 (built Dec 24 2004)) with ESMTPA id
	<0IML00NDMXA82TEM@vms044.mailsrvcs.net> for
	freebsd-ipfw@freebsd.org; Sat, 10 Sep 2005 10:20:32 -0500 (CDT)
Date: Sat, 10 Sep 2005 11:20:35 -0400
From: Chuck Swiger <cswiger@mac.com>
In-reply-to: <001501c5b616$0fb62c20$3501a8c0@pro.sk>
To: Peter Rosa <prosa@pro.sk>
Message-id: <4322F9C3.10407@mac.com>
Organization: The Courts of Chaos
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii; format=flowed
Content-transfer-encoding: 7bit
X-Accept-Language: en-us, en
References: <001501c5b616$0fb62c20$3501a8c0@pro.sk>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11)
	Gecko/20050801
Cc: FreeBSD IPFW <freebsd-ipfw@freebsd.org>
Subject: Re: IPFW2+NAT stateful rules VS. FTP
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Sep 2005 15:20:35 -0000

Peter Rosa wrote:
[ ... ]
> Or is it better to use /etc/nad.conf to redirect all incomming connections
> on ports 20 and 21 to localhost?
> 
> Any help is *very* appreciated :-)

If you use "passive mode" FTP, that ought to work fine.  If you use "active 
mode" FTP, you ought to use the FTP proxying built into NATD (see the 
-use_sockets and -punch_fw options), which is aware of the FTP data channel.

You should not attempt to use port forwarding when you are also using NAT 
unless you know what you are doing.  Without special measures being taken on 
the machine being forwarded to, it will ignore such traffic because the IP 
addresses won't match.

-- 
-Chuck