Glynn Clements wrote:
> Juan Carlos Castro y Castro wrote:
>
> > Hi. I noticed I have to load ip_masq_ftp in order to FTP to work from
> > behind an IP masquerading box.
>
> Or you have to use passive (PASV) mode for FTP, which is preferable.
Duh? What's the difference? And what *is* FTP passive mode by the way?
> > "make modules" creates similar modules
> > for a handful of other IP protocols (IRC, Quake...) and I am wise enough
> > to load them all on startup.
> >
> > My question is: Is there currently any other specific protocol that
> > breaks if behind an ip masq and for which there's still no support?
>
> Loads, including just about any protocol invented by a Windows
> programmer.
Aw, you just have to use MS Proxy Server. Just kidding!
> > I ask this to prepare myself for problems in client installations
> > ("What? You say our Corporate Whiz-Bang On-Line Transaction Server
> > doesn't work from behind your firewall? I knew I should have bought
> > MS!")
>
> Servers don't generally live behind firewalls if you want external
> hosts to be able to connect to them. That is the purpose of a
> firewall.
Yeah, the example was badly written. Where I say "doesn't work from",
read "can't be accessed from". Thanks for the tips, now I understand it
a bit more. The following paragraphs could very well be in a firewall
FAQ (if they already aren't).
> Some general rules:
>
> Protocols which send IP addresses or port numbers through the
> connection may not work via masquerading unless there is a specific
> module for them.
"May"? IMHO if it *does* work there's something wrong with the protocol
(redundancy in the best case).
> Protocols which require the client to accept inbound connections (e.g.
> passive-mode FTP) won't work unless there is a specific module for
> them.
I had something to ask about this, but I'll wait until you enlighten me
on the first question of this message... :-/
> Anything which require each host to have a separate IP address won't
> work via masquerading, period. A specific module won't help you here.
> The only thing which will help is having multiple valid IP addresses.
I've run into IRC problems because of that. Some servers wrongfully
accuse multiple incoming request of foul play. There's not much to do, I
know.
> Servers don't work behind firewalls; you have to make the firewall act
> as a proxy server for them, using e.g. redir.
Can't I use ipfwadm for that (saying for instance that incoming port 80
requests go to 192.168.this.that)?
> The things that *do* work are protocols which involve a single TCP
> connection which is initiated from behind the firewall (e.g. HTTP,
> telnet, finger, SMTP, ...), or multiple TCP connections where all
> connections are initiated by the client (behind the firewall) and the
> client doesn't send IP addresses or port numbers (i.e. passive-mode
> FTP).
>
> Anything else generally requires some degree of voodoo, which is what
> the various ip_masq_*.o modules are for. There is a program called
> `ipautofw' which is supposed to make it easier to add support for
> these sorts of protocols (although I haven't tried it myself). The
> Documentation/Configure.help file says:
>
> > IP: ipautofw masquerade support (Experimental)
> > CONFIG_IP_MASQUERADE_IPAUTOFW
> > ipautofw is a program which allows the masquerading of protocols
> > which do not (as yet) have their own protocol helpers. Information
> > and source for ipautofw is available via FTP (user: anonymous) from
> > ftp://ftp.netis.com/pub/members/rlynch/
> >
> > You will also need the ipmasqadm tool available from
> > http://juanjox.linuxhq.com/ .
>
> --
> Glynn Clements <[EMAIL PROTECTED]>
--
___THE___ One man alone cannot fight the future. USE LINUX!
\ \ / / _______________________________________________
\ V / |Juan Carlos Castro y Castro |
\ / |[EMAIL PROTECTED] |
/ \ |Linuxeiro, alvinegro, X-Phile e Carioca Folgado|
/ ^ \ |Diretor de Inform�tica e Eventos Sobrenaturais |
/ / \ \ |da E-RACE CORPORATION |
~~~ ~~~ -----------------------------------------------
RACER
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
