tech-net: Re: ipnat ftp proxy fix yet? (ever?)

Subject: Re: ipnat ftp proxy fix yet? (ever?)
To: Manuel Bouyer <bouyer@antioche.eu.org>
From: Sean Davis <dive@endersgame.net>
List: tech-net
Date: 10/28/2004 16:12:35
--rwEMma7ioTxnRzrJ
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Oct 28, 2004 at 10:01:57PM +0200, Manuel Bouyer wrote:
> On Thu, Oct 28, 2004 at 03:47:29PM -0400, Sean Davis wrote:
> > How many times do I have to say that I wasn't suggesting going back to
> > IPF3? what I was saying was that if Darren knew how to do it in ipf3,
> > he knows how to do it in ipf4.
>=20
> Of course he knows. The problem is that, as for most bugs, the author
> knows how to do it, and think he has done it right at all the places where
> it needs to be done. But he missed one, or worse, at one place he did a
> typo which cause the code to not work as intended.
>=20
> > The basic logic of how the ftp proxy
> > works can't be *THAT* different. There are only so many ways to skin
> > this particular cat.
>=20
> You assume the problem is in the ftp proxy. But it may be a bug somewhere
> else in ipf, triggered by the ftp proxy. This has been tracked down to
> some packets of the TCP flow being routed without having the addresses
> rewritten, *sometimes*. It looks like the problem isn't in the proxy, but
> in ipf itself.

Okay. Lets assume for a moment that the bug *is not* in the FTP proxy code
at all. Why, then, does commenting out the ftp proxy line in my ipnat.conf
enable passive FTP to work just fine through the NAT? To me that seems a
clear indication that it's related... perhaps some code is hit by outgoing
ftp connections when the ftp proxy is active that isn't hit when it isn't
active? I see your point that it may not be related to the ftp proxy, but it
still seems the most likely suspect to me, especially in light of the
difference made by disabling it.

-Sean

--=20
/~\ The ASCII
\ / Ribbon Campaign                   Sean Davis
 X  Against HTML                       aka dive
/ \ Email!

--rwEMma7ioTxnRzrJ
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFBgVKzncZv+931Zb8RAq6qAJkB94g2kGyb9zoFQN58GTPGVMWuUwCfbSMz
T0P+IHFxYCXt5PZT90AbOlA=
=piL5
-----END PGP SIGNATURE-----

--rwEMma7ioTxnRzrJ--