[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: fully transparent ftp-proxy and other stories...

On Wed, Oct 30, 2002 at 11:34:16PM +0000, Roy Badami wrote:
> I have to admit that I can't immediately see why ftp-proxy should need
> to be patched to allow this.  Isn't this just the same as the usual
> case?
The usual case is ftp clients behind a NATing firewall, allowing active
data connections back from the server to the client. ftp-proxy inspects
and modifies the control connection stream so the server makes active
data connections to the firewall's address, and then connects to the
client and forwards the data.
If it's the ftp server behind the firewall, you want to modify 227
replies from the server and proxy passive data connections instead.
> iptables allows me to neatly sidestep this issue by defining my rules
> in topological terms.  I can write a rule that applies to packets sent
> from interface A to interface B without having to hardwire the list of
> networks into my packet filters.
I don't trust routing tables to influence filter rules. You set
securelevel = 2 to prevent filter rules modifications and then some BGP
fuckup opens your firewall wide open? Why do you need huge lists of
addresses in rule sets? I agree that duplicating them on multiple
interfaces is annoying, but that's what macros are for.
> (And the explicit form gets really messy when you have a network
> routed out of one interface, except for a small subnet of it which
> sits on another interface.)
That can be covered with two simple rules with one netblock each, the
second overriding the first, no?