> Otherwise, you may look at a packet filtering software that
> "properly handles stateful masquerading."
To clarify though... M0n0 handles stateful masquerading just fine. It
just doesn't handle some forms of stateful FTP masquerading, because to
do so requires the firewall to basically rewrite FTP control packets as
they come through. It's an added load to the CPU, and it adds to the
size of the firewall, both of which are enemies on m0n0.
As others mentioned, with OpenBSD's pf, you get an "ftp-proxy" program
that handles rewriting... on the CLIENT side. It does this to make
*active* FTP work with less hassle on the client side.
I don't know how it would function if you tried to pass server-bound
traffic through it though.