IPNAT configuration to allow remote administration and passive FTP

I am having an issue with remote administration on a router box using IPFILTER / IPNAT.  Originally I had assumed that the problem was with the /etc/ipf.rule configuration, however, after troubleshooting I determined that the issue lie within the /etc/ipnat.rule file.  My troubleshooting steps included going from a 'basic' firewall to a DEFAULT PASS ALL firewall and nothing would allow me to remote (SSH / webmin) into the box from the 'external' interface.  After modifying the /etc/ipnat.rule file below, only then was I able to access the machine from the 'external' interface.

This machine exists only on an internal network.  It is simply a router box to segment off a building in our company off of our main corporate network.  It is much more of a NAT than a firewall.  The company network is (, this box will serve the other building with (  The 'external' interface (which goes from my building to the satellite building) is em0, the 'internal' interface is xl0.

After I #'d out the top two lines, I was able to SSH/webmin into the box, but that broke passive FTP.  My question is: what would an ipnat.rule file look like that would allow me to remote into the box from the network and still allow passive ftp to work?


#map em0 -> proxy port ftp ftp/tcp
#map em0 -> portmap tcp/udp 1025:65000
map em0 ->

Open in new window

Who is Participating?
gheistConnect With a Mentor Commented:
Passive FTP is two outgoung connections.
Unless you block them based on ports they should be fine.
gracewildAuthor Commented:
I guess you're right.  I had tested it with the CLI ftp, but I just tested it w/ IE and filezilla and that all works.

Thanks for pointing that out.
gracewildAuthor Commented:
With the CLI ftp, I was getting
[500 Illegal port range rejected]  when trying to do a directory listing, but since nobody but me uses CLI ftp from that building, it is not important.

Thanks again.
You have to allow random connections to high ports for passive ftp. This opens door to p2p, which may not be desirable. ftp proxy in ipnat does not do anything to fit PASV mode into dynamic rules.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.