* ip_conntrack_ftp.c kernel source more ports
@ 2004-01-20 7:38 HakRz1
2004-01-21 14:19 ` Harald Welte
0 siblings, 1 reply; 2+ messages in thread
From: HakRz1 @ 2004-01-20 7:38 UTC (permalink / raw)
To: netfilter-devel
Hello,
im trying to make a big security flaw in my network but i want to try
anyways ...what im trying to do is make ip_conntrack_ftp monitor all non
standard ports instead of defualt 21
i know ip_conntrack_ftp.h is where it gets port 21 defined
is there anyway to make it monitor all FTP ports without typing in all ports
manually
i know alot of you dont like this idea but the way i figure it is to get
Active FTP to work on non standard ports ( or even using pasv) you cant
close the firewall can only close ports 1-1080 for pasv to work
if i can get this module to work with all ports then i can enable
established and related connections only...sounds secure to me more so than
before with ports 1-1080 :)
Hope somone can help me with this
also i already know about modprobe ip_conntrack_ftp ports=...etc but this is
a hassle to do
im running kernel 2.6.0 / iptables v1.2.8 / slackware 9.1
Thanks
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: ip_conntrack_ftp.c kernel source more ports
2004-01-20 7:38 ip_conntrack_ftp.c kernel source more ports HakRz1
@ 2004-01-21 14:19 ` Harald Welte
0 siblings, 0 replies; 2+ messages in thread
From: Harald Welte @ 2004-01-21 14:19 UTC (permalink / raw)
To: HakRz1; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 1270 bytes --]
On Mon, Jan 19, 2004 at 11:38:08PM -0800, HakRz1 wrote:
> Hello,
> im trying to make a big security flaw in my network but i want to try
> anyways ...what im trying to do is make ip_conntrack_ftp monitor all non
> standard ports instead of defualt 21
what is your definition of 'all non-standard ports' ?
> i know ip_conntrack_ftp.h is where it gets port 21 defined
> is there anyway to make it monitor all FTP ports without typing in all ports
> manually
no, and there's a good reason for that: You add a huge performance
penalty to any kind of traffic on those poerts.
After ftp, you would start to look for any kind of other protocol, like
h.323, irc, ... and then you would end up running all helpers on all
ports.
If you do that, performance cannot be important to you anymore.
Thus, you should use a transparent proxy for this kind of stuff.
> Thanks
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-01-21 14:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2004-01-20 7:38 ip_conntrack_ftp.c kernel source more ports HakRz1
2004-01-21 14:19 ` Harald Welte
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.