Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] FW: FTP NAT/Conntrack problems


Luke McKee was once rumoured to have said:
> New info the topic:
[snipped]

Yes, and given that the original author posted the answer to this list
too, replicating here is just redundant.

>> -----Original Message-----
>> From: Crossfire [mailto:xfire@xxxxxxxx]
>> Sent: Thursday, May 17, 2001 1:44 PM
>> To: Luke McKee
>> Cc: 'slug@xxxxxxxxxxx'
>> Subject: Re: [SLUG] FW: FTP NAT/Conntrack problems
>> 
>>> Simply what I am trying to say is some Linux users running NAT in
>>> the version in 2.4 kernel can not access some FTP sites that
>>> others can access without trouble - because netfilter breaks
>>> RFCs. It even affects ftp client running on the nat box itself so
>>> if you are running NAT there is nothing you can do apart from
>>> login to another machine outside your private network or shut down
>>> NAT completely to get to that FTP site.
>> 
>> This is why FTP has passive mode.
> 
> Passive mode is where the client goes out and connects to the server to
> establish a ftp data stream. Yes it solves the MASQ problem but not when
> servers are in a cluster behind a simple firewall.

Its not netfilter's problem if your servers are in a configuration
that prevents passive mode, which is SOP for ftping out from behind
firewalls, from functioning.
 
> In our instance and likely in MOST others passive mode will not work.
> Not all ftp servers that are behind a load balancer or firewall can have
> incoming connections permitted - i.e. bind on the firewalls IP - most
> servers in a load balanced array are behind a firewall. Therefore passive
> mode WILL NOT WORK.
> Remember not all firewalls SNAT or MASQ and or have them on by default.

I'm not. If you run an ftp server, you should make an effort to ensure
that passive FTP works since a lot of current FTP clients default to
passive.  Yet again, not netfilter's problem.
  
>> I now agree with Cris' comment on the slug home page:
>> "Unfortunately, whilst everyone was impressed with Netfilter, and
>> Chris's overview of it, no one was willing to entrust a production
>> firewall to Linux 2.4. Perhaps around 2.4.10"
> 
>> This was *NOT* my comment[2].  I use Netfilter at home, and I'm about to
>> deploy it into production.
> 
>> The NAT code in Netfilter is *far* better than the old Masq system in
>> 2.2 in terms of flexibility.
> 
>> You obviously didn't research this very well before jumping to
>> conclusions, and I do not appreciate being misrepresented.
> 
> Excuse me I only cut and pasted from the website and say I agree
> with it. I didn't think I was likely to stuff up doing such a menial
> exercise. I should have relised you didn't say it - look at least I
> said where I got the source from. Baah - what an ego.... rub it in
> good.

Attributation of source will not save your ass on a public forum is
you attibute it to the wrong person.  Get over it, you screwed up.
Furthermore, because you screwed up, I was forced to defend my name
and opinion.

> I say NO to the claim that I did not research what I wrote fully. I
> just spend the last day researching this topic trying to find out
> why some ftp sites didn't work with our implementation of netfilter
> + nat. Tested a hypothesis and found out it was correct from the
> developers on the netfilter mailing list. Then I suggested a fix -
> only to find out it already existed 5 minutes ago.

Well, if you had actually read the Netfilter website, you would have
found the security advisory that resulted in the patch, and details
about it.

> Well I could have hacked / looked at the code but seeing I'm not an
> elitist or a big code hacker like yourself I just did a couple of
> postings to the netfilter-users mailing list. Just calm down and
> stop flaming fellow Linux "users" - if you don't find them fellow
> you don't need to tell the whole world that.

Since you're not a `big code hacker', you should have been the last
person to make such an `advisory post'.  Leave it to the people who
know what they're doing.

> I didn't go on bragging that Winroute Pro works and Linux doesn't
> didn't I?  so I don't deserve a hiding from you ;_) or any other
> Linux users I tried to help with this tip that I found in my travels
> and experience :-).

Oh yes you did.  I don't care which camp you come from, if you post
crap, I will comment.

> If your not happy being on a linux USERS list nobody is forcing you
> to stay subscribed to it. Yes most linux users should hack the code
> and contribute and not RELY on other people time for support but it
> doesn't say anywhere that linux users have to be code
> hackers. Ignorance is bliss (till I go to Uni next year at least :-)

Ah, this explains it!  Another kiddy wannabe.  Maybe you'll have a
clue in a few more years.

C.
-- 
--==============================================--
  Crossfire      | This email was brought to you
  xfire@xxxxxxxx | on 100% Recycled Electrons
--==============================================--