Thank you for the response. So, ftp connection tracking doesn't work always. Just curious about what is the rationale for such a solution? Is it assumed that if the packet with PORT command is fragmented someone is deliberatly attacking the system? Cheers, -Anil ----- Original Message ----- From: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> To: Anil Gunturu <anil@xxxxxxxxxxxxxxxxx> Cc: netfilter@xxxxxxxxxxxxxxxxxxx Sent: Sunday, January 14, 2007 11:47:23 PM GMT-0800 US/Pacific Subject: Re: tcp conn tracking On Sun, 14 Jan 2007, Anil Gunturu wrote: > Does the tcp connection tracking reorder and reassemble the tcp data. I > am particularly interested in how ip_conntrack_ftp works, if the tcp > data for port commnad comes in two different out-of-order segments. The connection tracking in netfilter defragments fragmented packets but does not reorder out of order packets. Moreover FTP connection tracking won't work on PORT/etc commands which arrive in multiple (not fragmented) packets, even if those are in order. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
