ftpd problem (since 2.9!)

[Kremlyn Vostok <kremlyn_(_at_)_mbox_(_dot_)_com_(_dot_)_au>]

This one's been giving me problems for some time now.

At home, I have two subnets - a DMZ and a LAN.  Both of them are 
RFC1918 networks, behind a firewall with three interfaces.. one for 
LAN, one for DMZ and one for Internet.  

When I run ftpd on the firewall, machines from both subnets are able to 
access the daemon and use ftp.  When I run ftpd on a box in either the 
LAN or DMZ, only boxen on the same subnet as the service is able to 
access it.  In other words, I've never been able to access ftpd from 
the LAN to the DMZ (or vice versa).

To answer what you are all thinking:

1) I've tried both active and passive ftp, with no change in behaviour.

2) Routing is all set up properly, all other services on boxes (such as 
samba, apache, postfix, djbdns) are all working fine accross subnets.

3) All machines in question are running OpenBSD 3.2 patch branch, with 
no exceptions - so it isn't a crap client ;-)

I've run tcpdump on all boxes, and have eliminated te possibility of 
network issues - it is not the network (or routing) as all necessary 
sequences are taking place.  

I enabled logging through syslogd, which gives no further clues.  The 
ftp session from the non-directly-connected subnet kinda just hangs.. 
with no output to the logfile.  Then, when I kill the hung session, I 
get:

Mar 18 00:13:15 web ftpd[2319]: <--- 220 web.dmz.cccp FTP server 
(Version 6.5/OpenBSD) ready.
Mar 18 00:13:15 web ftpd[2319]: <--- 221 You could at least say goodbye.

It's all very mysterious and I've read the ftpd man page several times 
to no avail.. any help would be greatly appreciated :-)

//kremlyn

---------------------------------------------------------------------
Faxes delivered directly to any email address, new to mBox!
Find out more http://www.mbox.com.au/fax