running FTP server on a LAN for folks outside of the LAN
 

I need to run an FTP server here on one of a few machines on a LAN (which is behind a router, possibly running a firewall), but I want my friend on the other side of the Internet to be able to access that ftp service.

It happens to be a Mac OS X machine that I'm going to run the ftp server on, but my question is general: From my machine on the lan, I know only my local IP address (something like 192.168.0.3). Once I've started up the ftp service, what IP address do I give my friend so he can access that service?

You will have to setup port forwarding on the router. That will be something like: If someone asks for FTP redirect him to abc.def.ghi.jkl ( replace it with your your IP address). Then you will give your friend the IP address assigned to your router, that router will have two IP addresses, one on the Internal network and one on the external (Internet, the one that you will give to your friend). If a Linux machine is serving as a router than you can use iptables to setup DNAT (Destination Network Address Translation) to achieve the same functionality as explained above.

Thanks n3tw0rk. :) I'm actually using an off-the-shelf "hardware
router" (what's the name for those? "dedicated router"?
"shrinkwrapped router"?)

I can log into the webserver running on my router (http://192.168.10.1),
and go to a config screen that labeled "forwarding" -- I think that's what
I'm looking for.

It's got a window that lets me choose some details regarding
TCP/IP port forwarding:
I'm supposed to fill in those blanks and commit them for each
port range. Can you tell me:

1. What port range am I supposed to use, and
2. What that 2nd set of "Start" and "End" fields supposed to mean?
Looks like it's just duplicating what's in the first 2 fields.

For IP address, I'm just going to put in my 192.168.x.x for
the local computer running the ftp server.

FTP usually runs on port 21, confirm first that it is ( or maybe that its just working, I dunno, im paranoid) with an nmap scan of yourself, and then open port 21 on the router.

When it says range, its merely asking if you want to open more than one. Just put 21 for start and end. The IP to forward too should be the internal address of your server, unless your just going to forward to all of them (some routers have that option).

In addition, if you want your friend to be able to use passive FTP (which will likely be necessary if he is behind a NAT router) you will need to forward the passive FTP ports through your router. You can choose the passive ports with the PassivePorts directive in proftpd.conf for proftpd (not sure what FTP daemon you plan to use but others have similar mechanisms). This page has a little write-up explaining it.