On Wed, Oct 30, 2002 at 08:41:12PM +0000, Roy Badami wrote: > It seems to me that whilst it might require a minimal amount of kernel > machinery to permit setup of the outgoing connection from the proxy, > once established it is identical in nature to the incoming > connection...
This could be solved with 'embryonic states', a separate list/tree of state entries that lack certain parts (like source ports, which are usually random and not known in advance). After the normal state lookup (if it fails), but before the rule set evaluation, a matching embryonic state would be completed and turn into a normal state. Proxies could insert embryonic states instead of listening for incoming connections, establishing connections and forwarding data between them. Also, embryonic states could include all sorts of address/port translations, so even connections established by the proxy (for instance the ftp control connection) could appear to originate from the real client address through a source address translation. There are many ways proxies could use this feature, potentially making the proxy code much shorter. But there are also security implications, as a state entry bypasses all filter rules. But it's definitely something I want to try. There are several problems to solve, like supporting different kinds of incomplete states while keeping lookups efficient. If they're solved, and the concept works and is safe, I guess ftp-proxy could (optionally, if necessary) use that to become fully transparent. Daniel
