Hi,
> What he has repeatedly said is that TCP has no record boundaries, so
> even if you always defragment (that obviously makes filtering easier),
> you still may get the application data in pieces, i.e. in different
> packets, for a number of reasons, some of them accidental, some of
> them intentional. You still might get the PORT command in several
> pieces.
Yes. But the KErnel only needs to store little information (at least for
FTP): If you receive:
PORT 1/packet border/23,13,45,45,4,67
You only need to store about 30 bytes for each NATed FTP Connection between
two packages. That is no big deal. On the other hand:
> So unless the packet level thing (whether it is for filtering or NAT)
> is also messing with the TCP engine, you are better off with a proxy.
> It will always work.
A combo method is a good solution. Handle the Control connection with a
user-mode Transparent-Proxy and let it set up a masquerade connection for
Data. Then you get the flexibility of Usermode with the Performance of
Kernel Masquerading.
Greetings
Bernd
--
(OO) -- Bernd_Eckenfels @
Wittumstrasse13 .
76646Bruchsal .
de --
( .. ) ecki @
lina .
{inka .
de,ka.sub.org} http://home.pages.de/~eckes/
o--o *plush* 2048/A2C51749 eckes @
irc +4972573817 *plush*
(O____O) If privacy is outlawed only Outlaws have privacy
Follow-Ups:
References:
|
|
