On 7/6/05, Jeff Rasmussen <jeff.rasmussen at gmail.com> wrote: > I've upgraded from Debian Woody to Sarge and now am using a 2.6.8 > kernel with Openswan and Shorewall. The VPN tunnel works great for > all other traffic except ftp. I keep getting this message below. > > kernel: FTP_NAT: partial packet 2087393185/21 in 787/863 > kernel: FTP_NAT: partial packet 2087393185/21 in 788/844 > kernel: FTP_NAT: partial packet 2087393185/21 in 789/849 > kernel: FTP_NAT: partial packet 2087393185/21 in 790/838 > > I have both ip_ftp_nat and ip_connectrack_ftp loaded. I am using > one-to-one NAT (same as before) to translate the foreign network to a > local ip address. > > I can log into the ftp server but when I try to list the directory it > fails in either active or passive modes. The last communication with > the ftp server requests the active ports to use. > > I've seen two links on the web, one that says that their is a conflict > between IPSEC and iptables. The other that had a firewall rule on the > other end of the tunnel that was preventing the connection. > > http://lists.shorewall.net/pipermail/shorewall-users/2004-June/012969.html > http://msgs.securepoint.com/cgi-bin/get/netfilter-0506/123.html > > Anyone dealt with anything like this? > > -- > Jeff Rasmussen > GPG public key 0x9686C12F > I found a work around for this problem based off of this post. (http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.general/25078) It looks like the modules ip_ftp_nat and ip_conntrack_ftp cannot differentiate between the vpn traffic and the public Internet traffic going through the same interface. Apparently, I won't be able to use my server as an ftp client through NAT as a result. Now to find out how to disable those modules from loading with Shorewall. -- Jeff Rasmussen GPG public key 0x9686C12F