On 26 Feb 99, at 23:55, David A. Ranch wrote about
"Re: [masq-dev] Patching ip_masq_ft":
| Hey Fred,
Nigel said:
| >| However the whole system was never designed to handle incoming
| >| connections to servers behind the masquerade and I think that the
| >| current attempts are producing a nasty ramshackle hack and the whole
| >| thing needs more carefully considering.
| >
| >Since I understand Nigel is the ip_masq maintainer, I assume this
| >means nothing official will happen with the patch.
|
| Wow! That was an AWESOME explination of the FTP module.
Thanks! To give credit, I was clueless about the FTP keep-alive
issue until David DeSimone (Fuzzy Fox) explained it. That's why I
didn't bother to handle incoming PORT commands in the first update of
ip_masq_ftp.c.
| Mind
| if I put that on the MASQ WWW site?
I'd be honored.
| Anyway, I think this is a valuable patch
I sure think so. I was really, really surprised that Linux couldn't
handle a masq'ed FTP server "out of the box".
| though it might
| not be the best solution at the moment.
AFAIK, it is the *only* solution at the moment.
| Is anyone else working
| on a proper solution?
I don't know. I was hoping Nigel wanted to get a conversation going
on what a proper architecture would be. If the current ip_masq +
ip_masq_app + ipportfw approach is basically sound, then I have to
disagree with Nigel's comment. IMO, all I've done is correct an
oversight in Steve's IPPORTFW patch.
OTOH, if the ipportfw approach itself is a "ramshackle hack", then
certainly my patch doesn't change that for the better. But other
comments I've read have described ipportfw as "the right way", at
least compared to ipautofw, because of the way it integrates with
ip_masq. I'd like to hear specifically where Nigel sees problems
with the current approach.
| Have you heard if this patch breaks
| any other MASQ modules?
No. But until yesterday, I had only sent it to one other person who
contacted me privately (beside you and Steve). Three more people
have downloaded it from the FTP site since yesterday, so hopefully
they will give us some feedback.
The more I think about it, the more confident I am that this patch
won't break existing masq apps. After all, unless ipportfw is used
to redirect incoming connections to a masqed server, the app won't
get any packets it wouldn't have gotten with IPAUTOFW enabled. And
there's no sense in port forwarding an incoming connection for a
protocol that requires a masq app unless the app is first upgraded to
support masqed servers, like I did with ip_masq_ftp.
So if enabling IPAUTOFW doesn't break existing masq apps, my patch
shouldn't either.
- Fred Viles <mailto:[EMAIL PROTECTED]>
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
http://tiffany.indyramp.com/mailman/listinfo/masq
Admin requests can be handled by web (above) or [EMAIL PROTECTED]
