Definitive list of protocols with NAT/conntrack support

Brian Kuschak brian.kuschak@skystream.com
Fri, 26 Oct 2001 11:48:29 -0700


Besides the single-connection limitation, the problem I found was that some
PPTP servers (Cisco) tend to initiate the first GRE packets to the client,
rather than waiting for the client to send the first GRE packet.  This means
netfilter sees a new packet from outside that doesn't match an existing
connection, therefore it is not demasqueraded.  I would see the PPTP server
continue sending GRE packets until it timed out.

I'll post the module I wrote as soon as I work out the most noticeable bugs.


-Brian


-----Original Message-----
From: Kinzer, Don [mailto:DKinzer@premia.com]
Sent: Friday, October 26, 2001 11:37 AM
To: 'netfilter-devel@lists.samba.org'
Subject: Re: Definitive list of protocols with NAT/conntrack support


As I understand it, a single PPTP session can be conducted through an
iptables firewall without a helper.  Supporting multiple simultaneous PPTP
connections requires connection tracking.  That is what Brian is
implementing.  His original message to this list regarding his work is found
at
http://lists.samba.org/pipermail/netfilter-devel/2001-October/002470.html.
I expect that he'll post again when it is completed.


-----Original Message-----
From: 	Scott McDermott [mailto:mcdermot@questra.com] 
Sent:	26 Oct 2001 11:33 AM
To:	netfilter@lists.samba.org
Subject:	Re: Definitive list of protocols with NAT/conntrack support

I am using PPTP without any helper...you just allow GRE and a couple of
TCP ports...you're saying there is a module in development which will
allow this to be statefully tracked so I can use -m state with GRE
tunnel?