[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT + Passive FTP problems...



I'm having a problem hitting my FTP server via passive FTP from the outside world. I have the right ports bring forwarded from the external if and I'm just not seeing where this is breaking (too bad you can't turn on logging on a rdr statement). My rules and findings follow:

rdr on xl0 inet proto tcp from any to 216.XXX.XX.XXX port = ftp -> 192.168.200.114 port 21
rdr on xl0 inet proto tcp from any to 216.XXX.XX.XXX port 49152:65535 -> 192.168.200.114 port
49152:65535


pass in quick on xl0 inet proto tcp from any to 192.168.200.114 port = ftp flags S/SA modulate state
pass in quick on xl0 inet proto tcp from any to 192.168.200.114 port >= 49152 flags S/SA modulate state


pass out quick on xl0 proto tcp from any to any port = ftp flags S/SA modulate state queue ftp
pass out quick on xl0 proto tcp from any to any port >= 49151 flags S/SA modulate state queue ftp


Here's my connection on 21, nothing even shows up for the high ports and I have the 21 and >=49152 in the same rule:
Jan 26 07:11:45.982234 rule 15/0(match): pass in on xl0: XXX.XXX.XX.XXX.1394 > 192.168.200.114.21: S (src OS: Windows XP SP1) 3459098578:3459098578(0) win 64512 <mss 1460,nop,nop,sackOK> (DF)


Here's my ftp server listening on the port that it has selected the client to connect to:
tcp 0 0 192.168.200.114.63465 *.* LISTEN
tcp 0 0 192.168.200.114.21 XXX.XXX.XX.XXX.1394 ESTABLISHED


It works internally on my network with a rdr on the internal if....and I don't think I need ftp proxy for an inbound connection from the outside world right ? Any help is greatly appreciated....