Re: Invalid PORT command - FTP/IPNAT

> From owner-ipfilter@cairo.anu.edu.au Mon Mar 19 11:44:53 2007
> X-Authentication-Warning: cairo.anu.edu.au: majordomo owned process doing -bs
> X-Authentication-Warning: cairo.anu.edu.au: majordomo set sender to owner-ipfilter@coombs.anu.edu.au using -f
> DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed;
> d=gmail.com; s=beta;
> h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
> b=i6joTEeYGBrPL6dOmxDH1IAgY7r2sepydT9X+FIqj29HO7Jp sYTad216qLXkFLt1eRqWLSlAHCdAeE4rlpp3jnfr3HGaYlz7ZJ 4V1vOpRn4oOxL5Dldamp+h8Oa05/SO/AiCNGwa14jEOw3JyLBMS8Qam3bYopZEzyX5tolH1eA=
Corey Johnston wrote:
> Firewall two: FTP broken
> map bge1 from 0.0.0.0/0 to a.b.c.d/32 port = 21 -> w.x.y.z/32 proxy
> port ftp ftp/tcp
> map bge1 from 0.0.0.0/0 to a.b.c.d/32 -> w.x.y.z/32 portmap tcp/udp auto
> map bge1 from 0.0.0.0/0 to a.b.c.d/32 -> w.x.y.z/32

As you have bge interfaces: these use hardware checksumming, which is
known to cause NAT trouble in Solaris IPF. Try whether the following helps:
add a line to /etc/system:
set ip:dohwcksum=0
and reboot.