From: Enrico Demarin <enricod@videotron.ca>
To: 'Philip Craig' <philipc@snapgear.com>
Cc: netfilter@lists.netfilter.org
Subject: RE: Conntrack PPTP broken in 2.4.22 ?
Date: Sun, 14 Sep 2003 21:23:52 +0200 [thread overview]
Message-ID: <008b01c37af5$bbca4f40$0440a8c0@SC2003002> (raw)
In-Reply-To: <3F650E9C.4060209@snapgear.com>
Thanks for the thorough explanation Craig, The info you sent
should be made part of the "help" section in the kernel configuration of
the GRE / PPTP modules.
Any idea if the PPTP conntrack module will make it into the mainstream
kernel ?
One more (unrelated?) question : is it possible to disable connection
tracking on a per interface basis ?
- Enrico
> -----Original Message-----
> From: Philip Craig [mailto:philipc@snapgear.com]
> Sent: lunedì 15 settembre 2003 2.58
> To: Enrico Demarin
> Cc: netfilter@lists.netfilter.org
> Subject: Re: Conntrack PPTP broken in 2.4.22 ?
>
>
> Enrico Demarin wrote:
> > I think at this point I miss the functionality of the
> pptp_conntrack
> > module ? When is it necessary to load it ?
>
> The module basically performs three tasks.
>
> 1. NAT of the callid
>
> This ensures that the PPTP callid is unique per client/server
> pair. This is only necessary when you have multiple clients
> that are NATed to the same source address. Without it, the
> server will get confused.
>
> 2. Tracking of gre connections
>
> The gre connections are tracked as RELATED connections, which
> makes it easy to add a rule to let them through the firewall.
>
> 3. NAT of gre connections
>
> This ensures incoming gre packets are forwarded to the
> correct internal server/client.
>
> Since you typically only have one internal server, this is
> just a convenience which means you don't need to add a gre DNAT rule.
>
> However this is necessary if you have multiple clients that
> are NATed to the same source address, so that the firewall
> knows which client to forward the gre packet to.
>
> NAT of gre can also be helpful for a single client. Without
> it, packets from the server may be dropped if the client
> hasn't sent a packet recently. This is because you typically
> don't have a DNAT rule to forward gre to the client, so the
> client has to send the gre packet first to establish the
> conntrack, and this conntrack will timeout after 30-180
> seconds of inactivity. You can workaround this problem by
> configuring PPP to send LCP echoes to keep the conntrack active.
>
> --
> Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
> SnapGear - Custom Embedded Solutions and Security Appliances
>
next prev parent reply other threads:[~2003-09-14 19:23 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-08 11:24 Conntrack PPTP broken in 2.4.22 ? Enrico Demarin
2003-09-12 0:37 ` Philip Craig
2003-09-12 11:01 ` Enrico Demarin
2003-09-15 0:58 ` Philip Craig
2003-09-14 19:23 ` Enrico Demarin [this message]
2003-09-15 5:40 ` Philip Craig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='008b01c37af5$bbca4f40$0440a8c0@SC2003002' \
--to=enricod@videotron.ca \
--cc=netfilter@lists.netfilter.org \
--cc=philipc@snapgear.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox