On 22 Feb 99, at 16:30, Fuzzy Fox wrote about
"[Masq] Re: Masquerade access to se":
|
| Markus Hansmair <[EMAIL PROTECTED]> wrote:
| >
| > [PORT-ftp will work, PASV-ftp won't]
| >
| > Am I right?
|
| You are right. I didn't notice an ftp server in my initial response.
|
| Note that there is code in the ip_masq_ftp module which appears to be
| trying to modify any PASV-reply from a masqueraded ftp server, but other
| traffic on this list has pointed out that it does not seem to work at
| all.
There's no code in ip_masq_ftp.c that *modifies* PASV replies. All it
does with them is set up a masquerade entry for the data connection
with a "keepalive" link to the control connection.
The IPPORTFW patch does not bind masq modules for the ports it is
forwarding. Also the kernel does not check for a bound module based
on the source port (unless IPAUTOFW is enabled). So the ip_masq_ftp
module doesn't get called at all in the masqueraded server case.
Fixing this takes a couple of very small kernel changes.
The ip_masq_ftp module is direction sensetive. It only looks for
PASV replies in *incoming* packets, and PORT commands in *outgoing*
packets. So when it's the server that is masqueraded and the client
that is external, neither packet type is ever seen because they are
going in the other directions. Fixing this takes a pretty
significant re-write of ip_masq_ftp.c. It needs to be orthogonal:
checking for both PORT commands and PASV replies in all packets, re-
writing both types in outgoing traffic and setting up the keep-alive
entry for both types in incoming traffic.
- Fred Viles <mailto:[EMAIL PROTECTED]>
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
