Invalid PORT command - FTP/IPNAT

["Corey Johnston" <coreyj@gmail.com>]

Just wondering if anybody can shed some light on an error I'm getting
trying to initiate an (active) ftp session from behind a NAT firewall.

I've got two IPFilter firewalls (both 4.1.17, both on Solaris) and
only one has a problem with FTPing.

The difference is that one firewall has a slightly more complicated
ruleset than the other, and rather than NATing all addresses with the
firewall's external IP (only), one firewall NATs a subset of the
outbound addresses to an IP other than the firewalls IP (same subnet).

In both cases, all other protocols other than FTP work fine under this
configuration:

Firewall one: FTP works
map nge1 10.0.0.0/8 -> 0/32 proxy port ftp ftp/tcp
map nge1 from 10.0.0.0/8 to 0.0.0.0/0 -> 0/32 portmap tcp/udp auto
map nge1 from 10.0.0.0/8 to 0.0.0.0/0 -> 0/32


Firewall two: FTP broken
map bge1 from 0.0.0.0/0 to a.b.c.d/32 port = 21 -> w.x.y.z/32 proxy
port ftp ftp/tcp
map bge1 from 0.0.0.0/0 to a.b.c.d/32 -> w.x.y.z/32 portmap tcp/udp auto
map bge1 from 0.0.0.0/0 to a.b.c.d/32 -> w.x.y.z/32

On the second firewall, the rules are slightly different as I need to
map only a subset of connections, and they need to map to an address
which isn't 0/32.

But as everything other than FTP seems to work, it seems like I'm
doing something wrong with FTP, or there's a bug somewhere.

Any ideas would be appreciated!

corey