On Fri, 2002-04-05 at 07:55, Harald Welte wrote: > > I added this when I was told that newer versions of mIRC (windows > > client) defaults to using the ip the server says we have (the external > > ip) and we have quite a few of those clients here and I descided to be > > nice. > > As far as I know this behaviour is configurable, so people might just > configure their clients the right way ;)
Yes it's configurable but I get the same question, why doesn't it work, a lot and people seem to forget what I've told them. > On the other hand, the patch is dangerous in the way that it removes this > check. In principle this adds a similar 'vulnerability' to the IRC > connection tracking like we've had with ftp > (see http://www.netfilter.org/security/2001-04-16-ftp.html) well I changed it so it uses the clients ip in the expectation, not the ip in the dcc request so I don't think this is insecure in that way. It's just that if you only use ip_conntrack_irc without ip_nat_irc the DCC request could be sent out with an invalid ip in the DCC request but the expectation would still be correct. See below. > > Harald, this is mostly just to get the patch out on the mailinglist in > > case someone have a need for this. But if you like it please apply :) > > Well, why do we have to accept all IP addresses? Why not just accept > the client's ip address and the IP address the control connection is > SNAT'ed to? This should solve the mIRC problem and still not cause > any security problem. > > Or am I overlooking something? No I don't think you are overlooking something, I'll change it today and send a new patch. Maybe we should make this the default behaviour instead of having another parameter? -- /Martin Never argue with an idiot. They drag you down to their level, then beat you with experience.
