====================================================================================== Port forwarding setup on CheckPoint firewall: Shunichi Mikame (smikame@ipv4sec.com) - 03/05/2009 ====================================================================================== TEST 1 with no loadblancing (directly to physical node) ====================================================================================== Traffic Flow: ftp-control traffic flow: ftp client --> port 21 --> firewall --> port 2141 --> ftp server ftp-data traffic flow: active ftp soucing from the server's static port (2140) to the client FW Rule: ---------------------------------------------------------------------------------------- | SOURCE | DESTINATION | Service | ACTION | ---------------------------------------------------------------------------------------- | 192.168.1.1 | 10.7.7.7 | ftp | accept | ---------------------------------------------------------------------------------------- NAT Rule: ------------------------------------------------ ----------------------------------------------- | ORIGINAL PACKET || TRANSLATED PACKET | ------------------------------------------------ ----------------------------------------------- | SOURCE | DESTINATION | Service || SOURCE | DESTINATION | Service | ------------------------------------------------ ----------------------------------------------- | 192.168.1.1 | 10.7.7.7 | ftp || = Original | = Original | ftp-2141 | ------------------------------------------------ ----------------------------------------------- Result on external interface (before port forwarding): <= This is active ftp with a static port (2140) for ftp-data 11:16:09.485753 IP 192.168.1.1.1991 > 10.7.7.7.21: S 464571332:464571332(0) win 65535 <[|tcp]> 11:16:09.628692 IP 10.7.7.7.21 > 192.168.1.1.1991: S 149619096:149619096(0) ack 464571333 win 32768 <[|tcp]> 11:16:09.661927 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 1 win 65535 11:16:12.683967 IP 10.7.7.7.21 > 192.168.1.1.1991: S 149619096:149619096(0) ack 464571333 win 32768 <[|tcp]> 11:16:12.716112 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 1 win 65535 11:16:12.859472 IP 10.7.7.7.21 > 192.168.1.1.1991: P 1:93(92) ack 1 win 32768 11:16:13.069443 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 93 win 65443 11:16:26.011503 IP 192.168.1.1.1991 > 10.7.7.7.21: P 1:14(13) ack 93 win 65443 11:16:26.165097 IP 10.7.7.7.21 > 192.168.1.1.1991: P 93:128(35) ack 14 win 32768 11:16:26.346798 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 128 win 65408 11:16:29.280893 IP 192.168.1.1.1991 > 10.7.7.7.21: P 14:27(13) ack 128 win 65408 11:16:29.416894 IP 10.7.7.7.21 > 192.168.1.1.1991: P 128:156(28) ack 27 win 32768 11:16:29.565178 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 156 win 65380 11:16:43.233442 IP 192.168.1.1.1991 > 10.7.7.7.21: P 27:50(23) ack 156 win 65380 11:16:43.390690 IP 10.7.7.7.21 > 192.168.1.1.1991: P 156:185(29) ack 50 win 32768 11:16:43.546724 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 185 win 65351 11:16:57.582665 IP 192.168.1.1.1991 > 10.7.7.7.21: P 50:77(27) ack 185 win 65351 11:16:57.719220 IP 10.7.7.7.21 > 192.168.1.1.1991: P 185:215(30) ack 77 win 32768 11:16:57.756986 IP 192.168.1.1.1991 > 10.7.7.7.21: P 77:92(15) ack 215 win 65321 11:16:57.895635 IP 10.7.7.7.2140 > 192.168.1.1.2012: S 160573636:160573636(0) win 32768 <[|tcp]> 11:16:57.928308 IP 192.168.1.1.2012 > 10.7.7.7.2140: S 3414710892:3414710892(0) ack 160573637 win 16384 <[|tcp]> 11:16:57.962020 IP 10.7.7.7.21 > 192.168.1.1.1991: . ack 92 win 32768 11:16:58.064667 IP 10.7.7.7.21 > 192.168.1.1.1991: P 215:284(69) ack 92 win 32768 11:16:58.092895 IP 10.7.7.7.2140 > 192.168.1.1.2012: . ack 1 win 32768 11:16:58.150208 IP 192.168.1.1.2012 > 10.7.7.7.2140: P 1:149(148) ack 1 win 65535 11:16:58.156372 IP 192.168.1.1.2012 > 10.7.7.7.2140: F 149:149(0) ack 1 win 65535 11:16:58.231838 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 284 win 65252 11:16:58.291939 IP 10.7.7.7.2140 > 192.168.1.1.2012: . ack 150 win 32768 11:16:58.397965 IP 10.7.7.7.2140 > 192.168.1.1.2012: F 1:1(0) ack 150 win 0 11:16:58.397978 IP 10.7.7.7.21 > 192.168.1.1.1991: P 284:314(30) ack 92 win 32768 11:16:58.428807 IP 192.168.1.1.2012 > 10.7.7.7.2140: . ack 2 win 65535 11:16:58.634216 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 314 win 65222 11:17:06.606138 IP 192.168.1.1.1991 > 10.7.7.7.21: P 92:119(27) ack 314 win 65222 11:17:06.811847 IP 10.7.7.7.21 > 192.168.1.1.1991: . ack 119 win 32768 11:17:08.652454 IP 10.7.7.7.21 > 192.168.1.1.1991: P 314:344(30) ack 119 win 32768 11:17:08.689679 IP 192.168.1.1.1991 > 10.7.7.7.21: P 119:128(9) ack 344 win 65192 11:17:08.827305 IP 10.7.7.7.2140 > 192.168.1.1.2013: S 163212829:163212829(0) win 32768 <[|tcp]> 11:17:08.860244 IP 192.168.1.1.2013 > 10.7.7.7.2140: S 1688615800:1688615800(0) ack 163212830 win 16384 <[|tcp]> 11:17:08.901374 IP 10.7.7.7.21 > 192.168.1.1.1991: . ack 128 win 32768 11:17:08.996273 IP 10.7.7.7.21 > 192.168.1.1.1991: P 344:407(63) ack 128 win 32768 11:17:08.996286 IP 10.7.7.7.2140 > 192.168.1.1.2013: F 1:1(0) ack 1 win 32768 11:17:09.041318 IP 192.168.1.1.2013 > 10.7.7.7.2140: . ack 2 win 65535 11:17:09.047302 IP 192.168.1.1.2013 > 10.7.7.7.2140: F 1:1(0) ack 2 win 65535 11:17:09.182980 IP 10.7.7.7.2140 > 192.168.1.1.2013: . ack 2 win 32768 11:17:09.195470 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 407 win 65129 11:17:09.331927 IP 10.7.7.7.21 > 192.168.1.1.1991: P 407:437(30) ack 128 win 32768 11:17:09.497223 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 437 win 65099 11:17:12.877955 IP 192.168.1.1.1991 > 10.7.7.7.21: P 128:155(27) ack 437 win 65099 11:17:13.015093 IP 10.7.7.7.21 > 192.168.1.1.1991: P 437:467(30) ack 155 win 32768 11:17:13.051622 IP 192.168.1.1.1991 > 10.7.7.7.21: P 155:161(6) ack 467 win 65069 11:17:13.189989 IP 10.7.7.7.2140 > 192.168.1.1.2016: S 164356598:164356598(0) win 32768 <[|tcp]> 11:17:13.223199 IP 192.168.1.1.2016 > 10.7.7.7.2140: S 3581888383:3581888383(0) ack 164356599 win 16384 <[|tcp]> 11:17:13.264221 IP 10.7.7.7.21 > 192.168.1.1.1991: . ack 161 win 32768 11:17:13.359475 IP 10.7.7.7.21 > 192.168.1.1.1991: P 467:535(68) ack 161 win 32768 11:17:13.359490 IP 10.7.7.7.2140 > 192.168.1.1.2016: P 1:15(14) ack 1 win 32768 11:17:13.359501 IP 10.7.7.7.2140 > 192.168.1.1.2016: F 15:15(0) ack 1 win 32768 11:17:13.413117 IP 192.168.1.1.2016 > 10.7.7.7.2140: . ack 16 win 65521 11:17:13.419273 IP 192.168.1.1.2016 > 10.7.7.7.2140: F 1:1(0) ack 16 win 65521 11:17:13.520637 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 535 win 65001 11:17:13.557221 IP 10.7.7.7.2140 > 192.168.1.1.2016: . ack 2 win 32768 11:17:13.656760 IP 10.7.7.7.21 > 192.168.1.1.1991: P 535:565(30) ack 161 win 32768 11:17:13.822464 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 565 win 64971 11:21:35.344351 IP 192.168.1.1.1991 > 10.7.7.7.21: P 161:167(6) ack 565 win 64971 11:21:35.481472 IP 10.7.7.7.21 > 192.168.1.1.1991: P 565:579(14) ack 167 win 32768 11:21:35.481486 IP 10.7.7.7.21 > 192.168.1.1.1991: F 579:579(0) ack 167 win 32768 11:21:35.516585 IP 192.168.1.1.1991 > 10.7.7.7.21: F 167:167(0) ack 579 win 64957 11:21:35.522894 IP 192.168.1.1.1991 > 10.7.7.7.21: . ack 580 win 64957 11:21:35.655537 IP 10.7.7.7.21 > 192.168.1.1.1991: . ack 168 win 32768 Result on internal interface (after port forwarding): <= This is active ftp with a static port (2140) for ftp-data 11:16:09.485805 IP 192.168.1.1.1991 > 10.7.7.7.2141: S 464571332:464571332(0) win 65535 <[|tcp]> 11:16:09.628645 IP 10.7.7.7.2141 > 192.168.1.1.1991: S 149619096:149619096(0) ack 464571333 win 32768 <[|tcp]> 11:16:09.662115 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 1 win 65535 11:16:12.683934 IP 10.7.7.7.2141 > 192.168.1.1.1991: S 149619096:149619096(0) ack 464571333 win 32768 <[|tcp]> 11:16:12.716144 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 1 win 65535 11:16:12.859436 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 1:93(92) ack 1 win 32768 11:16:13.069482 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 93 win 65443 11:16:26.024666 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 1:14(13) ack 93 win 65443 11:16:26.164891 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 93:128(35) ack 14 win 32768 11:16:26.346830 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 128 win 65408 11:16:29.280929 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 14:27(13) ack 128 win 65408 11:16:29.416857 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 128:156(28) ack 27 win 32768 11:16:29.565215 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 156 win 65380 11:16:43.233476 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 27:50(23) ack 156 win 65380 11:16:43.390653 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 156:185(29) ack 50 win 32768 11:16:43.546756 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 185 win 65351 11:16:57.583448 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 50:77(27) ack 185 win 65351 11:16:57.719182 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 185:215(30) ack 77 win 32768 11:16:57.757020 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 77:92(15) ack 215 win 65321 11:16:57.895590 IP 10.7.7.7.2140 > 192.168.1.1.2012: S 160573636:160573636(0) win 32768 <[|tcp]> 11:16:57.928340 IP 192.168.1.1.2012 > 10.7.7.7.2140: S 3414710892:3414710892(0) ack 160573637 win 16384 <[|tcp]> 11:16:57.961964 IP 10.7.7.7.2141 > 192.168.1.1.1991: . ack 92 win 32768 11:16:58.064628 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 215:284(69) ack 92 win 32768 11:16:58.092858 IP 10.7.7.7.2140 > 192.168.1.1.2012: . ack 1 win 32768 11:16:58.150239 IP 192.168.1.1.2012 > 10.7.7.7.2140: P 1:149(148) ack 1 win 65535 11:16:58.156402 IP 192.168.1.1.2012 > 10.7.7.7.2140: F 149:149(0) ack 1 win 65535 11:16:58.231934 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 284 win 65252 11:16:58.291906 IP 10.7.7.7.2140 > 192.168.1.1.2012: . ack 150 win 32768 11:16:58.397685 IP 10.7.7.7.2140 > 192.168.1.1.2012: F 1:1(0) ack 150 win 0 11:16:58.397928 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 284:314(30) ack 92 win 32768 11:16:58.428838 IP 192.168.1.1.2012 > 10.7.7.7.2140: . ack 2 win 65535 11:16:58.634248 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 314 win 65222 11:17:06.606850 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 92:119(27) ack 314 win 65222 11:17:06.811757 IP 10.7.7.7.2141 > 192.168.1.1.1991: . ack 119 win 32768 11:17:08.652416 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 314:344(30) ack 119 win 32768 11:17:08.689715 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 119:128(9) ack 344 win 65192 11:17:08.827261 IP 10.7.7.7.2140 > 192.168.1.1.2013: S 163212829:163212829(0) win 32768 <[|tcp]> 11:17:08.860277 IP 192.168.1.1.2013 > 10.7.7.7.2140: S 1688615800:1688615800(0) ack 163212830 win 16384 <[|tcp]> 11:17:08.901342 IP 10.7.7.7.2141 > 192.168.1.1.1991: . ack 128 win 32768 11:17:08.996047 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 344:407(63) ack 128 win 32768 11:17:08.996236 IP 10.7.7.7.2140 > 192.168.1.1.2013: F 1:1(0) ack 1 win 32768 11:17:09.041355 IP 192.168.1.1.2013 > 10.7.7.7.2140: . ack 2 win 65535 11:17:09.047334 IP 192.168.1.1.2013 > 10.7.7.7.2140: F 1:1(0) ack 2 win 65535 11:17:09.182945 IP 10.7.7.7.2140 > 192.168.1.1.2013: . ack 2 win 32768 11:17:09.195502 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 407 win 65129 11:17:09.331836 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 407:437(30) ack 128 win 32768 11:17:09.497254 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 437 win 65099 11:17:12.878987 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 128:155(27) ack 437 win 65099 11:17:13.015047 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 437:467(30) ack 155 win 32768 11:17:13.051714 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 155:161(6) ack 467 win 65069 11:17:13.189945 IP 10.7.7.7.2140 > 192.168.1.1.2016: S 164356598:164356598(0) win 32768 <[|tcp]> 11:17:13.223230 IP 192.168.1.1.2016 > 10.7.7.7.2140: S 3581888383:3581888383(0) ack 164356599 win 16384 <[|tcp]> 11:17:13.264187 IP 10.7.7.7.2141 > 192.168.1.1.1991: . ack 161 win 32768 11:17:13.359051 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 467:535(68) ack 161 win 32768 11:17:13.359267 IP 10.7.7.7.2140 > 192.168.1.1.2016: P 1:15(14) ack 1 win 32768 11:17:13.359440 IP 10.7.7.7.2140 > 192.168.1.1.2016: F 15:15(0) ack 1 win 32768 11:17:13.413696 IP 192.168.1.1.2016 > 10.7.7.7.2140: . ack 16 win 65521 11:17:13.419305 IP 192.168.1.1.2016 > 10.7.7.7.2140: F 1:1(0) ack 16 win 65521 11:17:13.520672 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 535 win 65001 11:17:13.557189 IP 10.7.7.7.2140 > 192.168.1.1.2016: . ack 2 win 32768 11:17:13.656725 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 535:565(30) ack 161 win 32768 11:17:13.822496 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 565 win 64971 11:21:35.344388 IP 192.168.1.1.1991 > 10.7.7.7.2141: P 161:167(6) ack 565 win 64971 11:21:35.481165 IP 10.7.7.7.2141 > 192.168.1.1.1991: P 565:579(14) ack 167 win 32768 11:21:35.481415 IP 10.7.7.7.2141 > 192.168.1.1.1991: F 579:579(0) ack 167 win 32768 11:21:35.516619 IP 192.168.1.1.1991 > 10.7.7.7.2141: F 167:167(0) ack 579 win 64957 11:21:35.522929 IP 192.168.1.1.1991 > 10.7.7.7.2141: . ack 580 win 64957 11:21:35.655484 IP 10.7.7.7.2141 > 192.168.1.1.1991: . ack 168 win 32768 ====================================================================================== TEST 2 with CSS loadblancing (using VIP) ====================================================================================== Traffic Flow: ftp-control traffic flow: ftp client --> port 21 --> firewall --> port 2141 --> CSS VIP --> ftp server (physical node) ftp-data traffic flow: active ftp soucing from the CSS's VIP which is using random port to the client (physical node are actually using a static port, but because of CSS, it PATs the traffic using random port) Result on external interface (before port forwarding): <= This is active ftp with a random port for ftp-data 12:07:43.631147 IP 192.168.1.1.3553 > 10.7.7.7.21: S 614751319:614751319(0) win 20480 <[|tcp]> 12:07:43.774258 IP 10.7.7.7.21 > 192.168.1.1.3553: S 2258015981:2258015981(0) ack 614751320 win 32768 <[|tcp]> 12:07:43.796071 IP 192.168.1.1.3553 > 10.7.7.7.21: . ack 1 win 20480 12:07:43.935936 IP 10.7.7.7.21 > 192.168.1.1.3553: P 1:93(92) ack 1 win 32768 12:07:43.969804 IP 192.168.1.1.3553 > 10.7.7.7.21: P 1:13(12) ack 93 win 20388 12:07:44.114104 IP 10.7.7.7.21 > 192.168.1.1.3553: P 93:127(34) ack 13 win 32768 12:07:44.140557 IP 192.168.1.1.3553 > 10.7.7.7.21: P 13:25(12) ack 127 win 20354 12:07:44.280229 IP 10.7.7.7.21 > 192.168.1.1.3553: P 127:154(27) ack 25 win 32768 12:07:44.305136 IP 192.168.1.1.3553 > 10.7.7.7.21: P 25:33(8) ack 154 win 20327 12:07:44.468759 IP 10.7.7.7.21 > 192.168.1.1.3553: P 154:174(20) ack 33 win 32768 12:07:44.494816 IP 192.168.1.1.3553 > 10.7.7.7.21: P 33:56(23) ack 174 win 20307 12:07:44.634179 IP 10.7.7.7.21 > 192.168.1.1.3553: P 174:203(29) ack 56 win 32768 12:07:44.663261 IP 192.168.1.1.3553 > 10.7.7.7.21: P 56:84(28) ack 203 win 20278 12:07:44.848852 IP 10.7.7.7.21 > 192.168.1.1.3553: P 203:233(30) ack 84 win 32768 12:07:44.878957 IP 192.168.1.1.3553 > 10.7.7.7.21: P 84:128(44) ack 233 win 20248 12:07:45.033613 IP 10.7.7.7.23973 > 192.168.1.1.3554: S 2258216758:2258216758(0) win 32768 <[|tcp]> 12:07:45.056251 IP 192.168.1.1.3554 > 10.7.7.7.23973: S 1676315600:1676315600(0) ack 2258216759 win 16384 <[|tcp]> 12:07:45.097001 IP 10.7.7.7.21 > 192.168.1.1.3553: . ack 128 win 32768 12:07:45.242049 IP 10.7.7.7.21 > 192.168.1.1.3553: P 233:331(98) ack 128 win 32768 12:07:45.264577 IP 10.7.7.7.23973 > 192.168.1.1.3554: . ack 1 win 32768 12:07:45.398152 IP 192.168.1.1.3554 > 10.7.7.7.23973: P 1:892(891) ack 1 win 65535 12:07:45.403320 IP 192.168.1.1.3554 > 10.7.7.7.23973: F 892:892(0) ack 1 win 65535 12:07:45.409447 IP 192.168.1.1.3553 > 10.7.7.7.21: . ack 331 win 20150 12:07:45.542875 IP 10.7.7.7.23973 > 192.168.1.1.3554: . ack 893 win 32768 12:07:45.827752 IP 10.7.7.7.23973 > 192.168.1.1.3554: F 1:1(0) ack 893 win 0 12:07:45.828872 IP 10.7.7.7.21 > 192.168.1.1.3553: P 331:361(30) ack 128 win 32768 12:07:45.848252 IP 192.168.1.1.3554 > 10.7.7.7.23973: . ack 2 win 65535 12:07:45.888619 IP 192.168.1.1.3553 > 10.7.7.7.21: F 128:128(0) ack 361 win 20120 12:07:46.054383 IP 10.7.7.7.21 > 192.168.1.1.3553: . ack 129 win 32768 12:07:46.054402 IP 10.7.7.7.21 > 192.168.1.1.3553: F 361:361(0) ack 129 win 0 12:07:46.080976 IP 192.168.1.1.3553 > 10.7.7.7.21: . ack 362 win 20120 13:09:46.127293 IP 192.168.1.1.1192 > 10.7.7.7.21: S 2608538905:2608538905(0) win 20480 <[|tcp]> 13:09:46.269775 IP 10.7.7.7.21 > 192.168.1.1.1192: S 2209195568:2209195568(0) ack 2608538906 win 32768 <[|tcp]> 13:09:46.291888 IP 192.168.1.1.1192 > 10.7.7.7.21: . ack 1 win 20480 13:09:46.433937 IP 10.7.7.7.21 > 192.168.1.1.1192: P 1:93(92) ack 1 win 32768 13:09:46.468363 IP 192.168.1.1.1192 > 10.7.7.7.21: P 1:13(12) ack 93 win 20388 13:09:46.608395 IP 10.7.7.7.21 > 192.168.1.1.1192: P 93:127(34) ack 13 win 32768 13:09:46.635004 IP 192.168.1.1.1192 > 10.7.7.7.21: P 13:25(12) ack 127 win 20354 13:09:46.772402 IP 10.7.7.7.21 > 192.168.1.1.1192: P 127:154(27) ack 25 win 32768 13:09:46.798045 IP 192.168.1.1.1192 > 10.7.7.7.21: P 25:33(8) ack 154 win 20327 13:09:46.937687 IP 10.7.7.7.21 > 192.168.1.1.1192: P 154:174(20) ack 33 win 32768 13:09:46.964014 IP 192.168.1.1.1192 > 10.7.7.7.21: P 33:56(23) ack 174 win 20307 13:09:47.104828 IP 10.7.7.7.21 > 192.168.1.1.1192: P 174:203(29) ack 56 win 32768 13:09:47.134407 IP 192.168.1.1.1192 > 10.7.7.7.21: P 56:83(27) ack 203 win 20278 13:09:47.277352 IP 10.7.7.7.21 > 192.168.1.1.1192: P 203:233(30) ack 83 win 32768 13:09:47.307812 IP 192.168.1.1.1192 > 10.7.7.7.21: P 83:127(44) ack 233 win 20248 13:09:47.450312 IP 10.7.7.7.8705 > 192.168.1.1.1193: S 2209789722:2209789722(0) win 32768 <[|tcp]> 13:09:47.473597 IP 192.168.1.1.1193 > 10.7.7.7.8705: S 1031684067:1031684067(0) ack 2209789723 win 16384 <[|tcp]> 13:09:47.511365 IP 10.7.7.7.21 > 192.168.1.1.1192: . ack 127 win 32768 13:09:47.614126 IP 10.7.7.7.21 > 192.168.1.1.1192: P 233:331(98) ack 127 win 32768 13:09:47.627517 IP 10.7.7.7.8705 > 192.168.1.1.1193: . ack 1 win 32768 13:09:47.729484 IP 192.168.1.1.1193 > 10.7.7.7.8705: P 1:594(593) ack 1 win 65535 13:09:47.735014 IP 192.168.1.1.1193 > 10.7.7.7.8705: F 594:594(0) ack 1 win 65535 13:09:47.775711 IP 192.168.1.1.1192 > 10.7.7.7.21: . ack 331 win 20150 13:09:47.877654 IP 10.7.7.7.8705 > 192.168.1.1.1193: . ack 595 win 32768 13:09:48.172457 IP 10.7.7.7.8705 > 192.168.1.1.1193: F 1:1(0) ack 595 win 0 13:09:48.172478 IP 10.7.7.7.21 > 192.168.1.1.1192: P 331:361(30) ack 127 win 32768 13:09:48.193355 IP 192.168.1.1.1193 > 10.7.7.7.8705: . ack 2 win 65535 13:09:48.229079 IP 192.168.1.1.1192 > 10.7.7.7.21: F 127:127(0) ack 361 win 20120 13:09:48.367880 IP 10.7.7.7.21 > 192.168.1.1.1192: . ack 128 win 32768 13:09:48.368989 IP 10.7.7.7.21 > 192.168.1.1.1192: F 361:361(0) ack 128 win 0 13:09:48.394826 IP 192.168.1.1.1192 > 10.7.7.7.21: . ack 362 win 20120 Result on internal interface (before port forwarding): <= This is active ftp with a random port for ftp-data 12:07:43.631276 IP 192.168.1.1.3553 > 10.7.7.7.2141: S 614751319:614751319(0) win 20480 <[|tcp]> 12:07:43.774206 IP 10.7.7.7.2141 > 192.168.1.1.3553: S 2258015981:2258015981(0) ack 614751320 win 32768 <[|tcp]> 12:07:43.796113 IP 192.168.1.1.3553 > 10.7.7.7.2141: . ack 1 win 20480 12:07:43.935892 IP 10.7.7.7.2141 > 192.168.1.1.3553: P 1:93(92) ack 1 win 32768 12:07:43.969849 IP 192.168.1.1.3553 > 10.7.7.7.2141: P 1:13(12) ack 93 win 20388 12:07:44.114061 IP 10.7.7.7.2141 > 192.168.1.1.3553: P 93:127(34) ack 13 win 32768 12:07:44.140655 IP 192.168.1.1.3553 > 10.7.7.7.2141: P 13:25(12) ack 127 win 20354 12:07:44.280187 IP 10.7.7.7.2141 > 192.168.1.1.3553: P 127:154(27) ack 25 win 32768 12:07:44.305180 IP 192.168.1.1.3553 > 10.7.7.7.2141: P 25:33(8) ack 154 win 20327 12:07:44.468713 IP 10.7.7.7.2141 > 192.168.1.1.3553: P 154:174(20) ack 33 win 32768 12:07:44.494861 IP 192.168.1.1.3553 > 10.7.7.7.2141: P 33:56(23) ack 174 win 20307 12:07:44.634133 IP 10.7.7.7.2141 > 192.168.1.1.3553: P 174:203(29) ack 56 win 32768 12:07:44.663974 IP 192.168.1.1.3553 > 10.7.7.7.2141: P 56:84(28) ack 203 win 20278 12:07:44.848810 IP 10.7.7.7.2141 > 192.168.1.1.3553: P 203:233(30) ack 84 win 32768 12:07:44.878998 IP 192.168.1.1.3553 > 10.7.7.7.2141: P 84:128(44) ack 233 win 20248 12:07:45.033562 IP 10.7.7.7.23973 > 192.168.1.1.3554: S 2258216758:2258216758(0) win 32768 <[|tcp]> 12:07:45.056293 IP 192.168.1.1.3554 > 10.7.7.7.23973: S 1676315600:1676315600(0) ack 2258216759 win 16384 <[|tcp]> 12:07:45.096961 IP 10.7.7.7.2141 > 192.168.1.1.3553: . ack 128 win 32768 12:07:45.242006 IP 10.7.7.7.2141 > 192.168.1.1.3553: P 233:331(98) ack 128 win 32768 12:07:45.264538 IP 10.7.7.7.23973 > 192.168.1.1.3554: . ack 1 win 32768 12:07:45.398195 IP 192.168.1.1.3554 > 10.7.7.7.23973: P 1:892(891) ack 1 win 65535 12:07:45.403365 IP 192.168.1.1.3554 > 10.7.7.7.23973: F 892:892(0) ack 1 win 65535 12:07:45.409487 IP 192.168.1.1.3553 > 10.7.7.7.2141: . ack 331 win 20150 12:07:45.542734 IP 10.7.7.7.23973 > 192.168.1.1.3554: . ack 893 win 32768 12:07:45.827711 IP 10.7.7.7.23973 > 192.168.1.1.3554: F 1:1(0) ack 893 win 0 12:07:45.828833 IP 10.7.7.7.2141 > 192.168.1.1.3553: P 331:361(30) ack 128 win 32768 12:07:45.848293 IP 192.168.1.1.3554 > 10.7.7.7.23973: . ack 2 win 65535 12:07:45.888658 IP 192.168.1.1.3553 > 10.7.7.7.2141: F 128:128(0) ack 361 win 20120 12:07:46.054048 IP 10.7.7.7.2141 > 192.168.1.1.3553: . ack 129 win 32768 12:07:46.054289 IP 10.7.7.7.2141 > 192.168.1.1.3553: F 361:361(0) ack 129 win 0 12:07:46.081021 IP 192.168.1.1.3553 > 10.7.7.7.2141: . ack 362 win 20120 13:09:46.127417 IP 192.168.1.1.1192 > 10.7.7.7.2141: S 2608538905:2608538905(0) win 20480 <[|tcp]> 13:09:46.268313 IP 10.7.7.7.2141 > 192.168.1.1.1192: S 2209195568:2209195568(0) ack 2608538906 win 32768 <[|tcp]> 13:09:46.291932 IP 192.168.1.1.1192 > 10.7.7.7.2141: . ack 1 win 20480 13:09:46.433890 IP 10.7.7.7.2141 > 192.168.1.1.1192: P 1:93(92) ack 1 win 32768 13:09:46.468408 IP 192.168.1.1.1192 > 10.7.7.7.2141: P 1:13(12) ack 93 win 20388 13:09:46.608347 IP 10.7.7.7.2141 > 192.168.1.1.1192: P 93:127(34) ack 13 win 32768 13:09:46.635049 IP 192.168.1.1.1192 > 10.7.7.7.2141: P 13:25(12) ack 127 win 20354 13:09:46.772356 IP 10.7.7.7.2141 > 192.168.1.1.1192: P 127:154(27) ack 25 win 32768 13:09:46.798088 IP 192.168.1.1.1192 > 10.7.7.7.2141: P 25:33(8) ack 154 win 20327 13:09:46.937641 IP 10.7.7.7.2141 > 192.168.1.1.1192: P 154:174(20) ack 33 win 32768 13:09:46.964060 IP 192.168.1.1.1192 > 10.7.7.7.2141: P 33:56(23) ack 174 win 20307 13:09:47.104779 IP 10.7.7.7.2141 > 192.168.1.1.1192: P 174:203(29) ack 56 win 32768 13:09:47.135156 IP 192.168.1.1.1192 > 10.7.7.7.2141: P 56:83(27) ack 203 win 20278 13:09:47.277305 IP 10.7.7.7.2141 > 192.168.1.1.1192: P 203:233(30) ack 83 win 32768 13:09:47.307858 IP 192.168.1.1.1192 > 10.7.7.7.2141: P 83:127(44) ack 233 win 20248 13:09:47.450256 IP 10.7.7.7.8705 > 192.168.1.1.1193: S 2209789722:2209789722(0) win 32768 <[|tcp]> 13:09:47.473638 IP 192.168.1.1.1193 > 10.7.7.7.8705: S 1031684067:1031684067(0) ack 2209789723 win 16384 <[|tcp]> 13:09:47.511224 IP 10.7.7.7.2141 > 192.168.1.1.1192: . ack 127 win 32768 13:09:47.614078 IP 10.7.7.7.2141 > 192.168.1.1.1192: P 233:331(98) ack 127 win 32768 13:09:47.627475 IP 10.7.7.7.8705 > 192.168.1.1.1193: . ack 1 win 32768 13:09:47.729527 IP 192.168.1.1.1193 > 10.7.7.7.8705: P 1:594(593) ack 1 win 65535 13:09:47.735055 IP 192.168.1.1.1193 > 10.7.7.7.8705: F 594:594(0) ack 1 win 65535 13:09:47.775759 IP 192.168.1.1.1192 > 10.7.7.7.2141: . ack 331 win 20150 13:09:47.877612 IP 10.7.7.7.8705 > 192.168.1.1.1193: . ack 595 win 32768 13:09:48.172140 IP 10.7.7.7.8705 > 192.168.1.1.1193: F 1:1(0) ack 595 win 0 13:09:48.172409 IP 10.7.7.7.2141 > 192.168.1.1.1192: P 331:361(30) ack 127 win 32768 13:09:48.193397 IP 192.168.1.1.1193 > 10.7.7.7.8705: . ack 2 win 65535 13:09:48.229123 IP 192.168.1.1.1192 > 10.7.7.7.2141: F 127:127(0) ack 361 win 20120 13:09:48.367835 IP 10.7.7.7.2141 > 192.168.1.1.1192: . ack 128 win 32768 13:09:48.368947 IP 10.7.7.7.2141 > 192.168.1.1.1192: F 361:361(0) ack 128 win 0 13:09:48.394869 IP 192.168.1.1.1192 > 10.7.7.7.2141: . ack 362 win 20120 ======================================================================================