Re: Conntrack PPTP broken in 2.4.22 ?

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Philip Craig <philipc@snapgear.com>
To: Enrico Demarin <enricod@videotron.ca>
Cc: netfilter@lists.netfilter.org
Subject: Re: Conntrack PPTP broken in 2.4.22 ?
Date: Mon, 15 Sep 2003 10:58:04 +1000	[thread overview]
Message-ID: <3F650E9C.4060209@snapgear.com> (raw)
In-Reply-To: <000301c3791d$401bc4c0$f901010a@SC2003002>

Enrico Demarin wrote:
> I think at this point I miss the functionality of the pptp_conntrack
> module ? When is it necessary to load it ?

The module basically performs three tasks.

1. NAT of the callid

This ensures that the PPTP callid is unique per client/server pair.
This is only necessary when you have multiple clients that are NATed
to the same source address.  Without it, the server will get confused.

2. Tracking of gre connections

The gre connections are tracked as RELATED connections, which makes
it easy to add a rule to let them through the firewall.

3. NAT of gre connections

This ensures incoming gre packets are forwarded to the correct
internal server/client.

Since you typically only have one internal server, this is just a
convenience which means you don't need to add a gre DNAT rule.

However this is necessary if you have multiple clients that are NATed
to the same source address, so that the firewall knows which client
to forward the gre packet to.

NAT of gre can also be helpful for a single client.  Without it,
packets from the server may be dropped if the client hasn't sent
a packet recently.  This is because you typically don't have a DNAT
rule to forward gre to the client, so the client has to send the gre
packet first to establish the conntrack, and this conntrack will
timeout after 30-180 seconds of inactivity.  You can workaround
this problem by configuring PPP to send LCP echoes to keep the
conntrack active.

-- 
Philip Craig - philipc@snapgear.com - http://www.SnapGear.com
SnapGear - Custom Embedded Solutions and Security Appliances

next prev parent reply	other threads:[~2003-09-15  0:58 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-09-08 11:24 Conntrack PPTP broken in 2.4.22 ? Enrico Demarin
2003-09-12  0:37 ` Philip Craig
2003-09-12 11:01   ` Enrico Demarin
2003-09-15  0:58     ` Philip Craig [this message]
2003-09-14 19:23       ` Enrico Demarin
2003-09-15  5:40         ` Philip Craig

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3F650E9C.4060209@snapgear.com \
    --to=philipc@snapgear.com \
    --cc=enricod@videotron.ca \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox