Passive FTP ipfw issue

Tue Jul 1 12:35:09 PDT 2003

Can someone help me, please, with a passive FTP ipfw issue ?
My configuration is:

        Internet
           |
           |
|---------------------|
|  ADSL Modem/Router  |
|---------------------|
           | 192.168.1.1
           |
           |
           | 192.168.1.4 (xl0)
|--------------------|
| FBSD firewall/ipfw |
|--------------------|
           | 10.0.0.4 (rl0)
           |
           |
|---------------------|
|  Internal LAN/HUB   |
|--^----^----^-----^--|
   |               |
   |               |
   | 10.0.0.6      | 10.0.0.8
|--------|      |-----|
|  FTP   |      |     |     
| client |      |     |
|--------|      |-----|

# Nic card to Internet connection
oif="xl0"
onet="192.168.1.0/24"
oip="192.168.1.4" 

# Nic card to private internal LAN
iif="rl0"
inet="10.0.0.0/24"
iip="10.0.0.4" 

These are my ipfw rules, runnuing 4.7-RELEASE:

fwfbsd# ipfw -d show
00010 7 808 divert 8668 ip from any to any via xl0
00020 0   0 check-state
00025 0   0 deny tcp from any to any in recv xl0 established
00500 7 414 allow log tcp from 10.0.0.0/24 to any 21 keep-state in recv rl0
setup
00510 3 140 allow log tcp from 192.168.1.4 to any 21 keep-state out xmit xl0
setup
00520 0   0 allow log tcp from any to any 10000-65000 keep-state in recv rl0
setup
00530 0   0 allow log tcp from any to any 10000-65000 keep-state out xmit
xl0 setup
65535 0   0 deny ip from any to any
## Dynamic rules:
00500 6 354 (T 295, slot 97) <-> tcp, 10.0.0.6 1034<-> 200.248.254.120 21
00510 2 80 (T 15, slot 99) <-> tcp, 192.168.1.4 1034<-> 200.248.254.120 21

The problem is that the dynamic rule 00510 will expire in 20 seconds
(lifetime control net.inet.ip.fw.dyn_syn_lifetime=20). The connection timer
seems to indicate that it´s
waitintg for a completed 3-way handshake and hasn´t seen the other SYN.

Is there anything wrong with these rules?  What am I missing ?

TIA,

Renato