I have successfully installed ip_conntrack, ip_conntrack_ftp and
ip_nat_ftp. I can connect from internal machines to active FTP sites.

I know it's working because I used a protocol analyzer and saw the
connections back to my local machines from source port 20. I connected
specifically to ftp.cs.utah.edu and ftp.microsoft.com both using 2-port
active ftp.

The weirdest thing it that active ftp doesn't work from
ftp.netscape.com. For some reason the conntrack module just doesn't
realize that it should track it if it's there. My guess is that it's
something with the particular server Netscape is running.

I know that ftp.netscape.com supports active ftp because I can connect
with active ftp from my server machine to it with the firewall down.

Does anyone know why this happens? Would someone else please try
connecting to ftp.netscape.com and confirm my findings?

-John

On a side note, does anyone know of a nice way to view the output of
tcpdump in Linux? Something that splits it up into frame, ip, tcp and
application and shows the fields in a more human-readable way?

I'm seeing the same behavior. I ran ethereal on my linux firewall and
discovered that for some reason the ftp-data session back to my firewall is
being opened from another IP address than that of the outbound...
ftp.netscape.com IP address. Obviously, this type of nonsense will fail.

Try ethereal. www.ethereal.com

Steve Cowles