Shorewall users - Nov 2004 - how do I forward a range of port to a machine behine shorewall

I read faq(1c) which can  forward one port to another port
like
#ACTION    SOURCE   DEST                PROTO    DEST PORT
DNAT       net      loc:192.168.1.3:22  tcp      1022

how about if I want to forward a range of port to a mchine ? my
scenairo is there is a ftp server behind firewall and I use publish
8021 to public but the ftp is actually running port 21, so I added
this rule
DNAT       net      loc:192.168.1.3:21  tcp      8021

however in this rule, the client should connect in port mode but it is
a security risk so I ve to open and forward a range of port say 5000 -
5500 for PASV

how to do it ? possible ?

On Sat, 2004-11-20 at 18:47 +0800, Adrian Mak wrote:
> I read faq(1c) which can  forward one port to another port
> like
> #ACTION    SOURCE   DEST                PROTO    DEST PORT
> DNAT       net      loc:192.168.1.3:22  tcp      1022
> 
> how about if I want to forward a range of port to a mchine ? my
> scenairo is there is a ftp server behind firewall and I use publish
> 8021 to public but the ftp is actually running port 21, so I added
> this rule
> DNAT       net      loc:192.168.1.3:21  tcp      8021
> 
> however in this rule, the client should connect in port mode but it is
> a security risk so I ve to open and forward a range of port say 5000 -
> 5500 for PASV
> 
> how to do it ? possible ?
If you have the ftp connection tracking and nat helper modules loaded
and configured, you shouldn''t have to do anything. See
http://shorewall.net.FTP.html.

But if you want to take the less secure way:

DNAT	net	loc:192.168.1.3	tcp	5000:5500

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key