On Thursday 16 January 2003 04:28 am, Daniel Hartmeier wrote: > Forgot to mention that the simple binat solution will of course > require the ftp daemon to send the $ext_ftp_ip address in its replies > inviting passive clients. Several ftp servers have such options, if > yours does, that's the easiest solution. > > If it can't, you might consider moving the ftp server into a DMZ and > directly assigning it the $ext_ftp_ip address, while the firewall is > still in front of it. > > If that's no option, either, you might need ftp-proxy (with reverse > patch) to translate the private address in the control connection. > But since you do have a dedicated routable address for it, I'd try > the simpler setups first :) > > Daniel
wish i could just take the binat route, but the ftp server is still on m$ ;-( had to raid the unix box to build the firewall, so mostly everything is running on single m$ server at present. it will be migrated to unix box in near future, but this was a rapid deployment to solve some immediate nasties. -- Regards, Ken Gunderson