IPNAT configuration to allow remote administration and passive FTP

Posted on 2009-04-22
Last Modified: 2013-12-23
I am having an issue with remote administration on a router box using IPFILTER / IPNAT.  Originally I had assumed that the problem was with the /etc/ipf.rule configuration, however, after troubleshooting I determined that the issue lie within the /etc/ipnat.rule file.  My troubleshooting steps included going from a 'basic' firewall to a DEFAULT PASS ALL firewall and nothing would allow me to remote (SSH / webmin) into the box from the 'external' interface.  After modifying the /etc/ipnat.rule file below, only then was I able to access the machine from the 'external' interface.

This machine exists only on an internal network.  It is simply a router box to segment off a building in our company off of our main corporate network.  It is much more of a NAT than a firewall.  The company network is (, this box will serve the other building with (  The 'external' interface (which goes from my building to the satellite building) is em0, the 'internal' interface is xl0.

After I #'d out the top two lines, I was able to SSH/webmin into the box, but that broke passive FTP.  My question is: what would an ipnat.rule file look like that would allow me to remote into the box from the network and still allow passive ftp to work?


#map em0 -> proxy port ftp ftp/tcp

#map em0 -> portmap tcp/udp 1025:65000

map em0 ->

Open in new window

Question by:gracewild
    LVL 61

    Accepted Solution

    Passive FTP is two outgoung connections.
    Unless you block them based on ports they should be fine.

    Author Closing Comment

    I guess you're right.  I had tested it with the CLI ftp, but I just tested it w/ IE and filezilla and that all works.

    Thanks for pointing that out.

    Author Comment

    With the CLI ftp, I was getting
    [500 Illegal port range rejected]  when trying to do a directory listing, but since nobody but me uses CLI ftp from that building, it is not important.

    Thanks again.
    LVL 61

    Expert Comment

    You have to allow random connections to high ports for passive ftp. This opens door to p2p, which may not be desirable. ftp proxy in ipnat does not do anything to fit PASV mode into dynamic rules.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
    Let’s list some of the technologies that enable smooth teleworking. 
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now