OK. Does the same thing apply to ftp when NAT is involved? If the port command comes fragmented and out-of-order, and the conntrack module doesn't reassemble the packets, the "inside" ip address goes out untranslated. Is this considered a security breach.
Cheers,
-Anil
----- Original Message -----
From: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
To: Anil Gunturu <anil@xxxxxxxxxxxxxxxxx>
Cc: netfilter@xxxxxxxxxxxxxxxxxxx, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Sent: Monday, January 15, 2007 8:59:48 AM GMT-0800 US/Pacific
Subject: Re: tcp conn tracking
>So, ftp connection tracking doesn't work always. Just curious about
>what is the rationale for such a solution? Is it assumed that if the
>packet with PORT command is fragmented someone is deliberatly attacking
>the system?
Yes you can assume that. FTP commands are usually not that long to not
fit into a small packet.
-`J'
--
