Re: [conntrack_ftp] ftp _server_ behind dnat

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

Am Sa den 19. Feb 2011 um 17:35 schrieb Pascal Hambourg:
> > Now I was thinking that the conntrac_ftp and nat_ftp module is the
> > correct one to configure it correct. But after several tests and finally
> > reading the source code of conntrac_ftp I find out that this bunch of
> > logic only match for a _client_ behind nat (SNAT) using active FTP.
> > 
> > So am I right that there is no module out there that supports passive
> > FTP server behind DNAT?
> 
> What is your kernel version ?

2.6.36.2

> IME, nf_conntrack_ftp and nf_nat_ftp handle both passive and active
> modes. Briefly looking at the code, I can see mentions of PASV (standard
> passive), EPSV (extended passive), PORT (standard port) and EPRT
> (extended port).

True, it looks after PORT, EPRT, and in the reply for 227 and 229. But
false (at I understand the code) it register only for active connections
(coming from port 21 or any port that is configured by option, but that
portlist is limited to 8 ports max).

As I read the code there seems no way to find a PORT command in outgoing
connections. But that has to be detected when DNAT is used.

> Maybe the netfilter list is a better place to ask.

Is there one? I just find this list and the -devel list but the later
seems not the right place for this problem.

Regards
   Klaus
- -- 
Klaus Ethgen                            http://www.ethgen.ch/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus@xxxxxxxxx>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBTV/6lp+OKpjRpO3lAQoXmAf/WFKv8Ku1vB1XlOgubgc6wDOpFMQKWnZl
91M+WRluCmpGfXADhGweJwUImoRw81esfuJhzJNiY2n+XKuHd59yOndYLLujDtC4
y+SKbhxLW95aI1bnRCU2ahLRuYYI3HiDjJSgwYe008kZQm72fyAP8vb7rJGCvksG
hSmnbeDlv1Vi3U/tQpeUbE7Zi4Z2mkfQWTbKa7onCnqxAK/6YKEaKJwQm5Ki9lv1
uC+ptYNq2SHnLHbGWJRgmd7lffbyqASFS9e30EK+cY2j4Ut00blzJibYgLH/hoik
hRiWqSQ4YH2/4e6O+L57lSRlslfv4K/p49TTHGfdqRmwXjegk8P47w==
=OLrt
-----END PGP SIGNATURE-----
--
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux