Re: Strange masq/port-forwarding problem

To: "Debian Firewalling Mailing List" <debian-firewall@lists.debian.org>
Subject: Re: Strange masq/port-forwarding problem
From: eichin@thok.org (Mark W. Eichin)
Date: 21 Feb 1999 13:35:05 -0500
Message-id: <[🔎] xe1u2wfvc4m.fsf@paycheck.thok.org>
In-reply-to: "Ralf G. R. Bergs"'s message of "Sun, 21 Feb 1999 11:02:22 +0100"
References: <[🔎] 199902210922.KAA15155@Server.RZ.RWTH-Aachen.DE>

> I am redirecting TCP ports "ftp" and "ftp-data" of my firewall host to an 

If you're just naïvely redirecting them, you have missed an important
aspect of the ftp protocol - namely that unless you're using passive
(PASV) mode, data connections are made by the client telling the
server what address to connect to, in the ftp command stream (PORT).
In order to redirect ftp, you must rewrite the command stream as well,
or force the client to use PASV mode (which most web browsers do, by
default.)

This is why the ip_masq support includes a specific ip_masq_ftp
module; you can't do it "blind".

As for connections hanging with large data -- if you're filtering
ICMP, you may be filtering out ICMP_FRAG_NEEDED, which is important if
you have weird MTU's and anyone is doing Path MTU discovery (and just
about everyone is these days.)  If that isn't it, well, learn to use
tcpdump and see what *is* happenning with one of those connections...
if you have RFC 793 up in one window and the tcpdump output in the
other, you can probably figure it out.

			_Mark_ <eichin@thok.org>
			The Herd of Kittens
			Debian Package Maintainer

Reply to:

References:
- Strange masq/port-forwarding problem
  - From: "Ralf G. R. Bergs" <rabe@RWTH-Aachen.DE>

Prev by Date: icmp traffic: which port shuold be filtered, which not
Next by Date: Re: Strange masq/port-forwarding problem
Previous by thread: Strange masq/port-forwarding problem
Next by thread: Re: Strange masq/port-forwarding problem
Index(es):
- Date
- Thread