From: Enrico Demarin <enricod@videotron.ca>
To: 'Philip Craig' <philipc@snapgear.com>
Cc: netfilter@lists.netfilter.org
Subject: RE: Conntrack PPTP broken in 2.4.22 ?
Date: Sun, 14 Sep 2003 21:23:52 +0200 [thread overview]
Message-ID: <008b01c37af5$bbca4f40$0440a8c0@SC2003002> (raw)
In-Reply-To: <3F650E9C.4060209@snapgear.com>
Thanks for the thorough explanation Craig, The info you sent
should be made part of the "help" section in the kernel configuration of
the GRE / PPTP modules.
Any idea if the PPTP conntrack module will make it into the mainstream
kernel ?
One more (unrelated?) question : is it possible to disable connection
tracking on a per interface basis ?
- Enrico
> -----Original Message-----
> From: Philip Craig [mailto:philipc@snapgear.com]
> Sent: lunedì 15 settembre 2003 2.58
> To: Enrico Demarin
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Conntrack PPTP broken in 2.4.22 ?
>
>
> Enrico Demarin wrote:
> > I think at this point I miss the functionality of the
> pptp_conntrack
> > module ? When is it necessary to load it ?
>
> The module basically performs three tasks.
>
> 1. NAT of the callid
>
> This ensures that the PPTP callid is unique per client/server
> pair. This is only necessary when you have multiple clients
> that are NATed to the same source address. Without it, the
> server will get confused.
>
> 2. Tracking of gre connections
>
> The gre connections are tracked as RELATED connections, which
> makes it easy to add a rule to let them through the firewall.
>
> 3. NAT of gre connections
>
> This ensures incoming gre packets are forwarded to the
> correct internal server/client.
>
> Since you typically only have one internal server, this is
> just a convenience which means you don't need to add a gre DNAT rule.
>
> However this is necessary if you have multiple clients that
> are NATed to the same source address, so that the firewall
> knows which client to forward the gre packet to.
>
> NAT of gre can also be helpful for a single client. Without
> it, packets from the server may be dropped if the client
> hasn't sent a packet recently. This is because you typically
> don't have a DNAT rule to forward gre to the client, so the
> client has to send the gre packet first to establish the
> conntrack, and this conntrack will timeout after 30-180
> seconds of inactivity. You can workaround this problem by
> configuring PPP to send LCP echoes to keep the conntrack active.
>
> --
> Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
> SnapGear - Custom Embedded Solutions and Security Appliances
>
next prev parent reply other threads:[~2003-09-14 19:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-08 11:24 Conntrack PPTP broken in 2.4.22 ? Enrico Demarin
2003-09-12 0:37 ` Philip Craig
2003-09-12 11:01 ` Enrico Demarin
2003-09-15 0:58 ` Philip Craig
2003-09-14 19:23 ` Enrico Demarin [this message]
2003-09-15 5:40 ` Philip Craig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='008b01c37af5$bbca4f40$0440a8c0@SC2003002' \
--to=enricod@videotron.ca \
--cc=netfilter@lists.netfilter.org \
--cc=philipc@snapgear.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.