Putting this back on-list.
On Fri, 20 Aug 2004, Neil Schneider wrote:
> Fred Wright said:
> > On Thu, 19 Aug 2004, Neil Schneider wrote:
> >> I recently replaced my Linux firewall with M0n0wall. I have an ftp
> >> server that sits behind it and is Server NAT'ed to a public IP
> >> address. I keep running into the problem described in the list
> >> archives and on various web pages, where connections from behind
> >> another firewall fail in unpredictable ways.
> >> So here's my question. Is there no equivelent in FreeBSD to the
> >> Linux
> >> kernel modules ip_contrack_ftp and ip_contrack_nat?
> > Perhaps if you exlained what those features do, and/or gave a specific
> > example of a failing case.
> ip_contrack_ftp and ip_contrack_nat are "helper" modules specifically
> for NAT'ing FTP protocol. I believe, they track the port connections
> for ftp and allow the kernel to know when ftp-data connections are
> related to those. I'm probably not explaining it well, however it
> solves the problems with double NAT'ed FTP servers. Clients had no
> problems connecting to my ftp server from behind firewalls with the
> Linux firewall. Now that I replaced the linux firewall with m0n0wall
> they get timeout errors and failure to receive directory listings. I
> know it's related to these modules.
I think IPFilter handles this automatically for NAT but not for the
firewall, though this is based on using an active-mode client, which is a
similar but not identical case to the passive-mode server. Passive-mode
clients and active-mode servers should have no trouble. To open things up
the rest of the way, you need to open the whole "ephemeral" port range
49152-65535. This may still not be enough if the server goes by an older
standard for the port range, but if you enable firewall logging you can
see what ports it's having trouble with.
I don't think this has anything to do with "double NATting", other than
that means there are *two* NAT layers that need to "get FTP right".