From: "Xuan Baldauf" <[EMAIL PROTECTED]> Hello Mr. Baldauf,
[...] > so the problem is that netfilter creates a "matcher" like this: > > protocol tcp > source-ip-address <server ip-address> > source-port any > destination-ip-adress <router ip-address> > destination-port <router masquerading-port> > > is that right? If so, is it possible to change this too-restrictive behaviour > to something like > > protocol tcp > source-ip-address any > source-port any > destination-ip-adress <router ip-address> > destination-port <router masquerading-port> > > I know that this may be a security problem, so this should only be optional. > But on the other > side, does the ftp server do anything wrong? well if you would change the ftp nat helper from its designed state to the one described by you, every computer in the world would essentially be able to access <router ip-address> at <router masquerading-port> and you could forget any packetfilter rules you implemented just because they wouldnt filter anymore. with accessing only one ftp server it would be bad. but after you accessed some servers in a row you would allow any host to connect to many many open ports on your side. building a great security risk. -- Sascha Reissner - [EMAIL PROTECTED] - http://www.fireware.org/ PGP Fingerprint: 27C4 F5BB E4D7 7B44 A47A B1E7 6014 F3E5 85B1 BEF7
