On Mon, 26 Feb 2001, BN wrote:
>At the time, mouss pointed out that most stacks do not
>remember the interface they received a packet on when making outbound
>routing decisions (for the WWW response). I didn't believe it at the time,
>and tested it in the lab. I can report that humbling "learning experiences"
>are good for the soul. ;)
A truly surprising result; I would've thought that a TCP connection would reply using
the incoming IP - or perhaps I misunderstand the process of assigning an IP to a NIC.
This may explain anomalies I've seen when using multiple IP addresses on a single card
- the incoming request was to a static NAT but the outgoing response went through the
NAT pool. (I sent a message to George and got the reply from Howard??)
This could make (reflective) firewall nightmares:
the outgoing request from frank:2345 to george:80
establishes an inbound reverse permit from george:80 to NATfrank:2345
but the response from howard:80 to NATfrank:2345 would be denied.
~Gary
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
