Thanks for the response on this subject. As far as I can tell from the discussion, I will have a problem if I want to have a FTP server behind the firewall, due to the fact that FTP file transfer may occur on a inbound port of random selection. Is this correctly understood? If so, is there any solution to the problem? Kind regards, Ola Theander ---Fred Viles <[EMAIL PROTECTED]> wrote: > > > On 22 Feb 99, at 16:30, Fuzzy Fox wrote about > "[Masq] Re: Masquerade access to se": > > | > | Markus Hansmair <[EMAIL PROTECTED]> wrote: > | > > | > [PORT-ftp will work, PASV-ftp won't] > | > > | > Am I right? > | > | You are right. I didn't notice an ftp server in my initial response. > | > | Note that there is code in the ip_masq_ftp module which appears to be > | trying to modify any PASV-reply from a masqueraded ftp server, but other > | traffic on this list has pointed out that it does not seem to work at > | all. > > There's no code in ip_masq_ftp.c that *modifies* PASV replies. All it > does with them is set up a masquerade entry for the data connection > with a "keepalive" link to the control connection. > > The IPPORTFW patch does not bind masq modules for the ports it is > forwarding. Also the kernel does not check for a bound module based > on the source port (unless IPAUTOFW is enabled). So the ip_masq_ftp > module doesn't get called at all in the masqueraded server case. > Fixing this takes a couple of very small kernel changes. > > The ip_masq_ftp module is direction sensetive. It only looks for > PASV replies in *incoming* packets, and PORT commands in *outgoing* > packets. So when it's the server that is masqueraded and the client > that is external, neither packet type is ever seen because they are > going in the other directions. Fixing this takes a pretty > significant re-write of ip_masq_ftp.c. It needs to be orthogonal: > checking for both PORT commands and PASV replies in all packets, re- > writing both types in outgoing traffic and setting up the keep-alive > entry for both types in incoming traffic. > > - Fred Viles <mailto:[EMAIL PROTECTED]> _______________________________________________ Masq maillist - [EMAIL PROTECTED] http://tiffany.indyramp.com/mailman/listinfo/masq Admin requests can be handled by web (above) or [EMAIL PROTECTED]
