[PATCH] new parameter for ip_conntrack_irc
Fri, 5 Apr 2002 07:55:23 +0200
On Fri, Apr 05, 2002 at 03:07:10AM +0200, Martin Josefsson wrote:
> This is a small patch to add a new parameter called loose to
> ip_conntrack_irc. It's against newnat.
> This parameter allows clients to use the "wrong" ip in DCC requests.
> If used in combination with ip_nat_irc this is no problem as it will
> replace the ip.
> I added this when I was told that newer versions of mIRC (windows
> client) defaults to using the ip the server says we have (the external
> ip) and we have quite a few of those clients here and I descided to be
As far as I know this behaviour is configurable, so people might just
configure their clients the right way ;)
On the other hand, the patch is dangerous in the way that it removes this
check. In principle this adds a similar 'vulnerability' to the IRC
connection tracking like we've had with ftp
> Harald, this is mostly just to get the patch out on the mailinglist in
> case someone have a need for this. But if you like it please apply :)
Well, why do we have to accept all IP addresses? Why not just accept
the client's ip address and the IP address the control connection is
SNAT'ed to? This should solve the mIRC problem and still not cause
any security problem.
Or am I overlooking something?
Live long and prosper
- Harald Welte / firstname.lastname@example.org http://www.gnumonks.org/
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)