Re: [masq] Strange problem with FTP (ip_masq_ftp).

Cristiano Lincoln Mattos Wed, 30 Dec 1998 09:28:08 -0500
        
        Yes, one of them accepts anonymous ftp at 200.249.243.1.
I managed to figure out another thing.. these sites are all
sitting behind Checkpoint's Firewall-1.. on a temporary ftp
site setup on the same ISP, but not behind the firewall, everything
works.
        Checking the Firewall-1 logs show nothing strange.. it's
accepting FTP normally, and it already allows port 20 through.
Here is something that might help, a tcpdump output.  200.249.243.232
is the FTP server (linux,proftpd), and 200.249.193.14 was my dialup
at the time.  I substituted the timestamps by numbers... only monitored
port 20.

        This is a tcpdump on the server (200.249.243.232):
S1 200.249.243.232.20 > 200.249.193.14.61076: S 1705441904:1705441904(0) win 512 <mss 
1460>
S2 200.249.193.14.61076 > 200.249.243.232.20: S 2774894562:2774894562(0) ack 
1705441905 win 32736 <mss 1460>
S3 200.249.243.232.20 > 200.249.193.14.61076: . ack 1 win 32120 (DF)
S4 200.249.243.232.20 > 200.249.193.14.61076: P 1:8(7) ack 1 win 32120 (DF) [tos 0x8]
S5 200.249.243.232.20 > 200.249.193.14.61076: P 8:1468(1460) ack 1 win 32120 (DF) [tos 
0x8]
S6 200.249.193.14.61076 > 200.249.243.232.20: . ack 8 win 32736 (DF) [tos 0x8]
S7 200.249.243.232.20 > 200.249.193.14.61076: P 1468:2139(671) ack 1 win 32120 (DF) 
[tos 0x8]
S8 200.249.243.232.20 > 200.249.193.14.61076: F 2139:2139(0) ack 1 win 32120 [tos 0x8]
S9 200.249.193.14.61076 > 200.249.243.232.20: . ack 8 win 32736 (DF) [tos 0x8]
S10 200.249.243.232.20 > 200.249.193.14.61076: P 8:1468(1460) ack 1 win 32120 (DF) 
[tos 0x8]
S11 200.249.193.14.61076 > 200.249.243.232.20: . ack 8 win 32736 (DF) [tos 0x8]
S12 200.249.243.232.20 > 200.249.193.14.61076: P 8:1468(1460) ack 1 win 32120 (DF) 
[tos 0x8]
S13 200.249.243.232.20 > 200.249.193.14.61076: P 8:1468(1460) ack 1 win 32120 (DF) 
[tos 0x8]
S14 200.249.243.232.20 > 200.249.193.14.61066: P 1616882290:1616883750(1460) ack 
2917780359 win 32120 (DF)

        This is a tcpdump on ppp0 of the client masquerading server,
dialup (200.249.193.14):
C1 200.249.243.232.20 > 10.0.0.3.1252: S 1705441904:1705441904(0) win 512 <mss 1460>
C2 200.249.193.14.61076 > 200.249.243.232.20: S 2774894562:2774894562(0) ack 
1705441905 win 32736 <mss 1460>
C3 200.249.243.232.20 > 10.0.0.3.1252: . ack 2774894563 win 0 (DF)
C4 200.249.243.232.20 > 10.0.0.3.1252: . ack 1 win 32120 (DF)
C5 200.249.243.232.20 > 10.0.0.3.1252: P 0:7(7) ack 1 win 32120 (DF) [tos 0x8]
C6 200.249.193.14.61076 > 200.249.243.232.20: . ack 8 win 32736 (DF) [tos 0x8]
C7 200.249.243.232.20 > 10.0.0.3.1252: F 2138:2138(0) ack 1 win 32120 [tos 0x8]
C8 200.249.193.14.61076 > 200.249.243.232.20: . ack 8 win 32736 (DF) [tos 0x8]
C9 200.249.193.14.61076 > 200.249.243.232.20: . ack 8 win 32736 (DF) [tos 0x8]      

        So, my interpretation of these: apparently, it's masquerading
correctly, since the server only see's the dialup IP.  They establish
a connection successfully (S1-S3,C1-C3).  Then the server send's 7 bytes
of data (S4) (sniffing showed it to bye 'total 0', of the dir listing),
which the client receives and ack's (C5,C6).  Here starts the problem...
the server sends more 1460 bytes (S5), then receives the client's ack to
the 7 bytes (S6), and proceed's to send a few more bytes (S7), then
announce's he will stop sending (FIN, of S8).  Meanwhile, the client
does not see the data he sent after the first 7 bytes.. and keep's
sending the ack to those 7 bytes he got (S9,S11,C8,C9).. he receive's
the FIN though (C7).  The server, realizing he hasn't acknowledged
most of the data he sent, sends it again, with a PUSH flag 
(S10,S12,S13,S14)... which the client never receives.. then the 
connection just freezes.

        Testing with tcpdump on another server behind Firewall-1
as well, the result's were the same.. just instead of the first
7 bytes, the server sends aroung 20.. but the bottomline is, the
client does not receive the data after the first packet...

        Is this a bug, or what? :)

Cristiano Lincoln Mattos                        Recife / PE / Brazil

On Tue, 29 Dec 1998, David A. Ranch wrote:

> 
> >     Yes, it does.  All apparently correct... except it 
> >doesn't work.
> 
> If any of these sites support anonymous FTP?  If so, I can 
> see if they break on me too.
> 
> --David
> .----------------------------------------------------------------------------.
> |  David A. Ranch - Linux/Networking/PC hardware         [EMAIL PROTECTED]  |
> !----                                                                    ----!
> `----- For more detailed info, see http://www.ecst.csuchico.edu/~dranch -----'
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
Re: [masq] Strange problem with FTP (ip_masq_ftp).

Reply via email to
