I have this working now, with a couple of small kernel patches and a
modified ip_masq_ftp module:
On 6 Jan 99, at 15:51, [EMAIL PROTECTED] wrote about
"Patching ip_masq_ftp to support mas":
| I'd like to patch the ip_masq_ftp module to support passive mode for
| a masqueraded FTP server. This doesn't work with the "off the shelf"
| ipfwadm + ipportfw combination.
That's because the IPPORTFW kernel patch doesn't arrange for masq
apps to be invoked when appropriate, and the ip_masq_ftp module
doesn't handle the outside client <-> masqueraded server case.
| The changes to the module itself seem straightforward. Basically,
| the code in masq_ftp_in() that handles masqueraded clients also needs
| to be done in masq_ftp_out() to handle masqueraded servers (except
| that the client's PASV command will not have been seen).
More accurately, the ftp_masq_out() function needed to check for
outgoing PASV reply packets as well as PORT commands, and handle them
the same way. Presumably, for completeness masq_ftp_in() should also
process incoming PORT commands the same as PASV replies, but I didn't
do that. As best I can figure, masq_ftp_in() is needed only if your
ipfwadm setup does not normally forward/masq ports 1024+.
| The tricky bit is to get the kernel to call the module at all in the
| cases of interest.
The IPPORTFW patch to ip_masq.c needed a small change to call
ip_masq_bind_app() for the masquerade entry it sets up when
forwarding a port. Also, I changed ip_masq_bind_app() in
ip_masq_app.c to enable source-port binding for
CONFIG_IP_MASQUERADE_IPPORTFW as well as
CONFIG_IP_MASQUERADE_IPAUTOFW.
That's all it took, and it seems to work fine. It was important for
us to have our masqueraded FTP server support passive mode, because
that's all most web browsers know how to do. Now our customers can
use Netscape and Internet Explorer to access our FTp server.
If the maintainer(s) of ip_masq_ftp and/or the IPPORTFW patch would
be interested in these changes, I'd be glad to send them along.
- Fred Viles <mailto:[EMAIL PROTECTED]>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
