On Thu, 17 May 2001, Luke McKee wrote:
> Seeing the ^^^ source ip address is not specified in the PORT command, does
> netfilter just assume it will be same one
> as the endpoint of the outgoing ftp control connection. Assumptions are not
> good :-( in our case and netfilter doesn't expect the incoming data
> connection to come in from where it really does. In most cases on the
> internet the assumption would be right, but with lots of load balencing
> implementations of FTP out there with different ip addresses for incoming
> and outgoing connections (not everybody wants to use big FreeBSD boxes like
> cdrom.com) people may run into this problem with netfilter more often.
>
> FTP doesn't state the source IP of the data connection in a PORT command to
> expect the incoming connection from, because normally a ftp client checks
> only for the correct source port - not the 'correct' source IP as well. Does
> netfilter differ from standard ftp clients and check the source IP matches
> what it expects? (I'll guess yes for the rest of the email)
The FTP conntrack module is for a firewall: it should be as conservative -
without disrupting the allowed services - as possible, still retaining as
much security restrictions as possible.
Such load-balancing FTP services could only be supported at normal FTP
data mode if the incoming source address for the data channel would be
unspecified ("wildcard"): anyone from the whole internet could then
connect to the FTP client at the given port.
Why don't you simply use passive mode FTP??
Regards,
Jozsef
-
E-mail : [EMAIL PROTECTED], [EMAIL PROTECTED]
WWW-Home: http://www.kfki.hu/~kadlec
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
