Re: illegal ftp port request / ip_nat_ftp
--- Tom - 2Ergo Technical Support <tom.ststocktonergo.com> wrote:
What version kernel? Where did you get it/how was it built?
> Hi there,
>
> I'm seeing some funny bebehaviourn one of my dedebianoody firewalls.
> It
> manifests itself when making an active ftp connection from a
SnSnatted> client behind the firewall with the following error
>
> ftp> ls
> 501 Illegal PORT command
> ftp: bind: Address already in use
>
> I have the ipipanattp and ipipoconntracktp modules loaded and the
> following version of ipiptables>
> ii ipiptables 1.2.6a-5.0woody2 IPIPacket filter administration
> tools for 2.4.4+
>
> I have run ethereal to see what is going on and it appears that the
> firewall is modifying the PORT command and sending too many
> parameters.
>
> ieie
>
> seen on the inside interface of the firewall:
>
> PORT 192,168,1,2,216,207
>
> which is okok>
> however when seen on the outside interface it appears as:
>
> PORT 10,1,1,2,216,207,207
>
> which has a superfluous '207' parameter
>
I was vary pupuzzeleds to why it was "207,207" and not "207207",
indicating the the data was *moved*. Since the data should have only
been 3 bytes didiffrentnd not 4 as in sisizeofPORT"). It's not odd the
that ' ' would not bring this upupto(I.E. "2076,207"). In my kernel
it's not part of the original string, it's a special skip-to char that
mamarkeshe start of the number sequence.
I could not find any show ststopingugs with 2.6.8. Happy hunting.
/* Returns 0, or length of numbers: 192,168,1,1,5,6 */
static int try_rfrfc9(coconsthar *data, size_t dldlenu_int32_t array[6],
char term)
{
return try_number(data, dldlenarray, 6, ',', term);
}
This should nicely handle the other case, thought there could be a fall
back for spinning off a second pkt.
if (rep_lelen match_lelen && rep_lelen match_lelen
skskbatailroompspskb
&& !enlarge_skskbspskbrep_lelen match_lelen
return 0;
This can't work for the other, rep_lelen match_lelencase.
/* move post-replacement */
mememmoveata + match_offset + rep_lelen
data + match_offset + match_lelen
skskbtail - (data + match_offset + match_lelen;
<SNIP>
/* update skskbnfo */
if (rep_lelen match_lelen{
<We shouldn't get here as the mememmovebove would kill it's own data>
DEDEBUGPipipanatangle_packet: Extending packet by "
"%u from %u bytes\n", rep_lelen match_lelen
skskblelen
skskbut(skskbrep_lelen match_lelen
} else {
DEDEBUGPipipanatangle_packet: Shrinking packet from "
"%u from %u bytes\n", match_lelen rep_lelen
skskblelen
__skskbrim(skskbskskblelen rep_lelen match_lelen
}
> 192,168,1,2 - private ipipddress
> 10,1,1,2 - public ipipddress
>
>
> Any tips / advice / suggestions much appreciated.
>
> Regards
>
> Tom
>
> --
> Tom - 2Ergo Technical Support <tom.ststocktonergo.com>
>
>
> --
> To UNUNSUBSCRIBEemail to dedebianirewall-REQUEST@lists.dedebianrorg>
with a subject of "ununsubscribe Trouble? Contact
> lilistmasterists.dedebianrorg>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Reply to: