[Bug 44] New: ip_conntrak_ftp / ip_nat_ftp enhancements

bugzilla-daemon@netfilter.org bugzilla-daemon@netfilter.org
Thu, 06 Feb 2003 19:33:29 +0100


https://bugzilla.netfilter.org/cgi-bin/bugzilla/show_bug.cgi?id=44

           Summary: ip_conntrak_ftp / ip_nat_ftp enhancements
           Product: netfilter/iptables
           Version: linux-2.4.x
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: connection tracking
        AssignedTo: laforge@netfilter.org
        ReportedBy: schug@superig.com.br
                CC: netfilter-buglog@lists.netfilter.org


Well...
I have a suggestion, i dont't know how good it is for you/us, and if you'll 
accept it..., or if it exists already (i didn't find any answer for that).

For example:
All ftp connections are working fine... I have a dealer(server) who worked 
too, but about 2 weeks ago, 
they changed their ftp server a bit, what caused a little pain (data port 
never works).

What happens:

client ip (behind a linux firewall): 192.168.5.7
firewall (linux kernel 2.4.18 - adsl pppoe): 192.168.5.1(local) 200.102.30.20 
(ppp0)
ftp server (dealer) - 200.124.180.3

* they are not real...

When ftp client send a port command (dir, retrieve), all internals work fine, 
the firewall start
listening on related port, expecting 200.124.180.3:0 mask 255.255.255.255:0; 

Well, what they didnt tell me was who actually was sending data over data port 
was not 200.124.180.3, 
but 200.124.180.2 (i found it by my self, compiling kernel, enabling debugs, 
inserting my own code, 
trying to understand what was going on. I ).

After that i changed the code a bit, making related ports expect 
200.124.180.0:0 mask 255.255.255.0:0 
(all in ip_nat_ftp.c ** i didnt go deep, making it work for a while **), 
recompiling, inserting module 
and testing. Worked fine...

What i am asking is, if you could fix this for future releases (or patches), 
and user could insert 
rules to the related ip/ports, in user space, making it more *reliable* for 
servers that we expect 
is doing this. 
 
Thanks a lot, and I really appreciate if you read and make this.
 
a big hug

Antonio
schug@superig.com.br



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.