[BUG] ip_nat_ftp fails for some ftp servers (fwd)

Sascha Reissner sascha.reissner@fireware.org
Sun, 7 Oct 2001 16:21:28 +0200


From: "Xuan Baldauf" <xuan--lkml@baldauf.org>

Hello Mr. Baldauf,


[...]

> so the problem is that netfilter creates a "matcher" like this:
>
> protocol              tcp
> source-ip-address     <server ip-address>
> source-port           any
> destination-ip-adress <router ip-address>
> destination-port      <router masquerading-port>
>
> is that right? If so, is it possible to change this too-restrictive
behaviour
> to something like
>
> protocol              tcp
> source-ip-address     any
> source-port           any
> destination-ip-adress <router ip-address>
> destination-port      <router masquerading-port>
>
> I know that this may be a security problem, so this should only be
optional.
> But on the other
> side, does the ftp server do anything wrong?

well if you would change the ftp nat helper from its designed state to the
one
described by you, every computer in the world would essentially be able to
access <router ip-address> at <router masquerading-port> and you could
forget any packetfilter rules you implemented just because they wouldnt
filter
anymore.

with accessing only one ftp server it would be bad. but after you accessed
some servers in a row you would allow any host to connect to many many
open ports on your side. building a great security risk.

--
Sascha Reissner  -  sascha.reissner@fireware.org  -
http://www.fireware.org/
PGP Fingerprint: 27C4 F5BB E4D7 7B44 A47A  B1E7 6014 F3E5 85B1 BEF7