On 7/6/05, Jeff Rasmussen <jeff.rasmussen at gmail.com> wrote:
> I've upgraded from Debian Woody to Sarge and now am using a 2.6.8
> kernel with Openswan and Shorewall.  The VPN tunnel works great for
> all other traffic except ftp.  I keep getting this message below.
> 
> kernel: FTP_NAT: partial packet 2087393185/21 in 787/863
> kernel: FTP_NAT: partial packet 2087393185/21 in 788/844
> kernel: FTP_NAT: partial packet 2087393185/21 in 789/849
> kernel: FTP_NAT: partial packet 2087393185/21 in 790/838
> 
> I have both ip_ftp_nat and ip_connectrack_ftp loaded.  I am using
> one-to-one NAT (same as before) to translate the foreign network to a
> local ip address.
> 
> I can log into the ftp server but when I try to list the directory it
> fails in either active or passive modes.  The last communication with
> the ftp server requests the active ports to use.
> 
> I've seen two links on the web, one that says that their is a conflict
> between IPSEC and iptables.  The other that had a firewall rule on the
> other end of the tunnel that was preventing the connection.
> 
> http://lists.shorewall.net/pipermail/shorewall-users/2004-June/012969.html
> http://msgs.securepoint.com/cgi-bin/get/netfilter-0506/123.html
> 
> Anyone dealt with anything like this?
> 
> --
> Jeff Rasmussen
> GPG public key 0x9686C12F
> 

I found a work around for this problem based off of this post. 
(http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.general/25078)

It looks like the modules ip_ftp_nat and ip_conntrack_ftp cannot
differentiate between the vpn traffic and the public Internet traffic
going through the same interface.

Apparently, I won't be able to use my server as an ftp client through
NAT as a result.

Now to find out how to disable those modules from loading with Shorewall.

-- 
Jeff Rasmussen
GPG public key 0x9686C12F