Philipp Klostermann [mailto:[EMAIL PROTECTED]] wrote:
>
>To me it seems, that the simplest and the most brutal way to do it would
>be as follows:
>
>#define MAX_PORTS 0xffff
>...
>for (int i=0; i<0xffff; i++) ports[i]=i;
>
>(Alternatively I could find the place, where ports[0..x] is being
>checked against a port and kick that out...)
>
>But somehow I have this feeling, that this would make my box *really*
>slow, and that this is not, what the creators of netfilter thought
>of...
Hi Philipp,
You could have guessed that this is not really considered very smart.
every packet will be inspected for ftp control channel content, which
will slow down the firewall.
Additionally, since there are already a bunch of connection tracking
modules out there, the same line of reasoning could be applied to them.
If you had, say, 3 conntrackers loaded, every single packet would have
to get inspected by all three conntrackers. Obviously this doesn't
scale...
>Have you got any suggestions?
My guess is that there is something happening with active/passive
ftp. I guess your Linux friends' ftp clients are trying active/normal
ftp, and the Windows friends are using passive ftp.
A network strace should reveal more. Oh, and make sure those Linux
guys have both ip_conntrack_ftp and ip_nat_ftp loaded/compiled in !
Regards,
Filip
Title: RE: conntrack/nat w monolithic kernel: how to ftp to servers onport other than 21?
- Re: conntrack/nat w monolithic kernel: how to ftp to s... Philipp Klostermann
- RE: conntrack/nat w monolithic kernel: how to ftp... Sneppe Filip
- RE: conntrack/nat w monolithic kernel: how to ftp... Philipp Klostermann
