Martin Josefsson wrote:
> I forwarded your mail and ny response to the netfilter-devel list and got
> this response.
>
> /Martin
>
> Never argue with an idiot. They drag you down to their level, then beat you
with experience.
>
> ---------- Forwarded message ----------
> Date: Sun, 7 Oct 2001 13:42:41 +0200
> From: Svenning Sørensen <[EMAIL PROTECTED]>
> To: Martin Josefsson <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
> Subject: RE: [BUG] ip_nat_ftp fails for some ftp servers (fwd)
>
> > I can confirm that I can't list the contents of ftp://ftp.tu-chemnitz.de/
> > when using active mode and sitting behind a linuxrouter running
2.4.9-ac12
> > with ip_conntrack ftp and ip_nat_ftp loaded.
>
> This is not a netfilter bug.
>
> I just tried it myself:
> Even though the control connection was made to 134.109.132.107, the FTP
server
> used 134.109.132.117 as source address for the data connection.
>
> So you can hardly blame netfilter for this.
>
> If you open the control connection to 134.109.132.117, everything works as
expected.
>
> Svenning
Hello Svenning,
so the problem is that netfilter creates a "matcher" like this:
protocol tcp
source-ip-address <server ip-address>
source-port any
destination-ip-adress <router ip-address>
destination-port <router masquerading-port>
is that right? If so, is it possible to change this too-restrictive behaviour
to something like
protocol tcp
source-ip-address any
source-port any
destination-ip-adress <router ip-address>
destination-port <router masquerading-port>
I know that this may be a security problem, so this should only be optional.
But on the other
side, does the ftp server do anything wrong?
RFC959.2.3 states:
The user-DTP or its designate should "listen" on
the specified data port, and the server initiate the data
connection and data transfer in accordance with the specified
parameters.
The user-DTP (the masqueraded ftp-client) actually does listen on the
specified data port. The
server does initiate the data connection. Nothing of the RFC says that the
server does need to
initiate the data connection from the same ip-adress the control connection is
connected to.
Maybe "in accordance with the specified parameters" only means that the
properties of the data
connection to be opened are only specified by the parameters. All other
properties, which are
not defined by the parties, must be accepted, and may not be restricted to
only a subset of all
possible undefined properties.
That's why I think the "offending" ftp server actually does not violate
RFC959. Actually, cases
where both data-connection-initiator and data-connection-receiver are
different from the
ftp-client are explicitly allowed.
So, because the ftp server does not violate RFC959, can the too-restrictive
netfilter-behaviour
considered as bug and fixed at least by module option?
Xuân.
