ftp security patch

From kadlec@blackhole.kfki.hu Mon Sep 17 11:01:38 2001
Date: Mon, 21 May 2001 11:41:19 +0200 (CEST)
From: Jozsef Kadlecsik 
To: netfilter-devel@lists.samba.org
Subject: [PATCH] paranoid FTP conntrack/NAT

Hello,

This patch implements a paranoid FTP state matching
engine in p-o-m friendly format:

- ports requested by PORT/EPRT requests are opened up
  (expected) only if the FTP server accepts the requested
  port.
- ports requested by PASV/EPSV responses from the FTP
  server are oneped up (expected) only if the client
  explicitly issued the PASV/EPSV request.

The NAT part is based on a new feature, which should probably be
considered in the new netfilter NAT/conntrack helper design:
a connection announced by PORT/EPRT is registered as expected connection,
but conditionally: packets belonging to the expected connection are not
accepted until the expected connection isn't enabled by the module (when
the server sends the OK response). Thus NAT can manipulate the expected
connection and the packet contents, still the paranoid FTP state matching
is retained.