Hi all

How is it possibile to get an ftpserver (pure-ftpd) working on lan both 
in passive and active mode with a nat made by monowall firewall from a 
natted ftp client?

myftp<->mono<-internet->$firewall/nat<->ftpclient

I searched the mailing list archives but I didn't find anything that 
solves my problems.


First of all my network config:

-monowall
	wan: 200.200.200.1
	lan: 192.168.0.1
	opt: none

public addresses :200.200.200.1 - 200.200.200.8

I got some inbound nat on 200.200.200.2 to 192.168.0.4 for mail and http.

ftpserver:192.168.0.4 (on lan)

I tried the following solutions:

-server nat activated on 200.200.200.2
-inbound nat on the ip 200.200.200.2 as external ip and 192.168.1.4 as 
nat ip
-allowed traffic from any port to port 21 on 192.168.0.1
-pure-ftpd with -N flag (force clients in active mode)
-configured pure-ftpd with PassivePortRange set to 1024 - 5000
  ForcePassiveIP set to 200.200.200.2

 From everywhere passive mode: ok, active mode ko

finally

I made a 1 to 1 nat 200.200.200.3 <-> 192.168.0.4 and configured 
pure-ftpd with PassivePortRange set to 1024 - 5000
  ForcePassiveIP set to 200.200.200.3.

(the rules applied by inbound nats defined for 200.200.200.2 are applied 
also to the traffic directed to 200.200.200.3, so in this way the 1 to 1 
nat doesn't expose me to any addictional risk).

All works ok from everywhere in active and passive mode.

This last configuration is very dirty and obviously I don't like to 
waste an ip address only for ftp (and some other nat-unfriendly protos).

A workaround is to use the -N flag in pure-ftpd, to force clients to go 
in active mode, but if I want to serve in both modes what could I do?

May outbound nat help me in some way?

Is there anybody who would tell me some hint?

(Ip addresses shown here are obviously faked.)

Thanks in advance