Ports of the proxies are not checked in rules which contains src/dst
restriction.
When a rule contain a from..to or a ! condition, the IPN_FILTER bit is set and
the
proxy port is ignored.
ip_nat.c
if (*np->in_plabel != '\0') {
if (((np->in_flags & IPN_FILTER) == 0) &&
(np->in_dport != tcp->th_dport))
continue;
if (appr_ok(fin, tcp, np) == 0)
continue;
Exemple : Smtp protocol is mapped to the ftp proxy
List of active MAP/Redirect filters:
map sis0 from any to any -> 10.2.13.80/32 proxy port ftp ftp/tcp
map sis0 from any to any -> 10.2.13.80/32 portmap tcp/udp 20000:59999
map sis0 from any to any -> 10.2.13.80/32
List of active sessions:
F200XA003890400401>ipnat -l
List of active MAP/Redirect filters:
map sis0 from any to any -> 10.2.13.80/32 proxy port ftp ftp/tcp
map sis0 from any to any -> 10.2.13.80/32 portmap tcp/udp 20000:59999
map sis0 from any to any -> 10.2.13.80/32
List of active sessions:
MAP 192.168.13.121 49567 <- -> 10.2.13.80 49567 [10.0.0.20 25]
proxy ftp/6 use 1 flags 0
proto 6 flags 0 bytes 298 pkts 5 data YES size 1360
FTP Proxy:
passok: 1
Client:
seq bb324def (ack 0) len 0 junk 0 cmds 0
buf [\000]
Server:
seq bc9ffe83 (ack bc9ffe95) len 18 junk 0 cmds 1
buf [220 SMTP Welcome\015\012\000]
It's problematic, because an invalid proxy attachment seems to increase
memory consumption quickly.
--
David Gueluy
[EMAIL PROTECTED]
Netasq - We secure IT
http://www.netasq.com
