On Mon, Apr 08, 2002 at 05:49:36AM +0200, Nils Ohlmeier wrote: > FCP is our own creation, because of the lack of an 'offical' protocol from > the IETF. It was and probaly will never become an offical IETF protocl.
Well, it has been an IETF draft, hasn't it? > The basic idea behind the FCPd is for complex protocol like SIP/SDP not to > tranfer the protocol knowledge into contrack module. Leave the knowledge in > the applications (proxys or server) and let them decide which user, > apllication or host is allowed to request for 'holes' in the firewall for an > amount of time. exactly. I really like this idea, and this functionality is definitely needed. > The FCP and the deamon should be seens as proof of concept implementation > from our research institut (http://www.fokus.fhg.de). I woludn't say that > it's abondoned, but that maybe depends on the point of view. no, not the FCP implementations. What I meant was: The FCP protocol has been abandoned by the IETF (since the draft has expired quite some time ago). > > There also need to be a few netfilter API changes in order to support SIP. > > Stuff like port reservations. And it also needs port reservations for > > two consecutive port numbers. Or in the case you have audio and video, > > four consecutive numbers, ... > > Okay port reservation is done by our deamon by simply binding a socket. We > know that this is nasty but it is the easiest way to get shure that the ports > we use in NAT rules are not used by netfilter or an application on the > firewall. mh. The issue is, that binding to the local port is way 'too much'. Connection trackning does only need an unique tuple (srcip, srcport, dstip, dstport), which means there can be any number of outside (ip, port) pairs to a single port on the NAT box. By binding to the port on the nat box, we seriously reduce the amount of available valid conntrack tuples, and thus increasing the neccessarity of having to mangle port numbers where otherwise we wouldn't have to. I will put this on our TODO list, and try to implement it after newnat has hit the 2.4.20 kernel. > Regards > Nils Ohlmeier -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
