[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fully transparent ftp-proxy?
On Thu, Oct 31, 2002 at 12:06:26AM +0100, Henning Brauer wrote:
> there is, you just wrote it:
> > A lookup in an empty list/tree would of course equal a single pointer
> > comparison
Yes, I'll go count the number of instructions that occur per packet
already, it's Halloween :)
> I question that it can be done secure at all.
We'd not allow to insert completely blank state templates, of course. I
think allowing only to leave out the source port would cover all useful
cases, and the packet would have to match both addresses and the
destination port to complete the state. And an attacker that spoofs at
the right time might complete the state, but he doesn't gain much, as he
can't complete the TCP handshake.
> people using ftp-proxy in front of a ftp-server which is not NATed make a
> fault. it's not needed.
There are more uses than just ftp-proxy. In fact, I don't care all that
much about servers wanting to log the real client ip, but other
translations have interesting potential :)