On Wed, Apr 10, 2002 at 01:07:20PM +0900, LeeHojae wrote: > I'm really thank you for your attention.
No problem, I always want to improve netfilter/iptables. And your xdmcp conntrack/nat helper is a nice extension, really. > I'm ashamed of my poor coding.... No problem, it's your first netfilter/iptables contribution, and everybody has to learn in the beginning :) > If right, Please send me the modified code. I will send it as soon as I got around testing it. > I wish good luck to you... Thanks. There is another, security-relevant issue of your code: It doesn't track the state of the XDMCP protocol, so everybody could just send fake MANAGE packets an thus cause holes in the firewall/NAT to be opened. I'm now trying to track the REQUEST/ACCEPT hanshake before accepting a MANAGE packet. This way we know if the Server has allowed the Display to be managed by the Server. -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
