Juan Carlos Castro y Castro wrote:
> Hi. I noticed I have to load ip_masq_ftp in order to FTP to work from
> behind an IP masquerading box.
Or you have to use passive (PASV) mode for FTP, which is preferable.
> "make modules" creates similar modules
> for a handful of other IP protocols (IRC, Quake...) and I am wise enough
> to load them all on startup.
>
> My question is: Is there currently any other specific protocol that
> breaks if behind an ip masq and for which there's still no support?
Loads, including just about any protocol invented by a Windows
programmer.
> I ask this to prepare myself for problems in client installations
> ("What? You say our Corporate Whiz-Bang On-Line Transaction Server
> doesn't work from behind your firewall? I knew I should have bought
> MS!")
Servers don't generally live behind firewalls if you want external
hosts to be able to connect to them. That is the purpose of a
firewall.
Some general rules:
Protocols which send IP addresses or port numbers through the
connection may not work via masquerading unless there is a specific
module for them.
Protocols which require the client to accept inbound connections (e.g.
passive-mode FTP) won't work unless there is a specific module for
them.
Anything which require each host to have a separate IP address won't
work via masquerading, period. A specific module won't help you here.
The only thing which will help is having multiple valid IP addresses.
Servers don't work behind firewalls; you have to make the firewall act
as a proxy server for them, using e.g. redir.
The things that *do* work are protocols which involve a single TCP
connection which is initiated from behind the firewall (e.g. HTTP,
telnet, finger, SMTP, ...), or multiple TCP connections where all
connections are initiated by the client (behind the firewall) and the
client doesn't send IP addresses or port numbers (i.e. passive-mode
FTP).
Anything else generally requires some degree of voodoo, which is what
the various ip_masq_*.o modules are for. There is a program called
`ipautofw' which is supposed to make it easier to add support for
these sorts of protocols (although I haven't tried it myself). The
Documentation/Configure.help file says:
> IP: ipautofw masquerade support (Experimental)
> CONFIG_IP_MASQUERADE_IPAUTOFW
> ipautofw is a program which allows the masquerading of protocols
> which do not (as yet) have their own protocol helpers. Information
> and source for ipautofw is available via FTP (user: anonymous) from
> ftp://ftp.netis.com/pub/members/rlynch/
>
> You will also need the ipmasqadm tool available from
> http://juanjox.linuxhq.com/ .
--
Glynn Clements <[EMAIL PROTECTED]>
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
