[Bug 71] dnat breaks connection tracking?

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Mon, 14 Apr 2003 09:51:32 +0200


https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=71

laforge@netfilter.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX



------- Additional Comments From laforge@netfilter.org  2003-04-14 09:51 -------
Please try enabling the debug code in ip_conntrack_ftp.c, I think the problem is
that the IP address contained in the data packet (PORT/PASV command) is
different from the IP header source/destination address.

In a 'normal' case, this would be most likely somebody trying to break the
firewall by specifying bogus adresses in order to set up connection expectations
at the firewall.  

But in your case you will have to remove those checks from the conntrack/nat
helper code in order to make it work.  please note, however, that you are
opening a major security hole.




------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.