On Fri, Apr 05, 2002 at 03:07:10AM +0200, Martin Josefsson wrote: > Hi, > > This is a small patch to add a new parameter called loose to > ip_conntrack_irc. It's against newnat. > > This parameter allows clients to use the "wrong" ip in DCC requests. > If used in combination with ip_nat_irc this is no problem as it will > replace the ip. > > I added this when I was told that newer versions of mIRC (windows > client) defaults to using the ip the server says we have (the external > ip) and we have quite a few of those clients here and I descided to be > nice.
As far as I know this behaviour is configurable, so people might just configure their clients the right way ;) On the other hand, the patch is dangerous in the way that it removes this check. In principle this adds a similar 'vulnerability' to the IRC connection tracking like we've had with ftp (see http://www.netfilter.org/security/2001-04-16-ftp.html) > Harald, this is mostly just to get the patch out on the mailinglist in > case someone have a need for this. But if you like it please apply :) Well, why do we have to accept all IP addresses? Why not just accept the client's ip address and the IP address the control connection is SNAT'ed to? This should solve the mIRC problem and still not cause any security problem. Or am I overlooking something? > /Martin -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
