I knew the code monkey's would come through.... comment below.
On Tuesday 12 April 2005 18:50, Kevin Toppenberg wrote:
> Mark may well be onto the source of the firewall
> problem. In the file WSockc.pas, in the function
> NetStart, I see starting at line 716, a message that
> is construction like this:
> send IP address + port + workstation name and wait
> for OK
>
> **BUT** the IP address passed is a LocalName variable
> -- which is the **local** ip address.
>
> Thus is seems that the client is telling the server
> both the IP address and the port for server to call
> back on.
>
> That doesn't seem to be designed right. Shouldn't the
> server detect where the signal came from, and then
> just send back to that IP address?
YES, if the client is sending out PRIVATE addresses that are not routeable on
the PUBLIC network, the first firewall or router they run into they will
probably be dropped. I know my firewall is setup to not allow OUTgoing
packets with an INTernal or PRIVATE address space. The offending packets get
droppped before they hit the EXTernal interface on the firewall. Let the
firewall figure it out, don't pass the internal private address space into
the call back.
> So to look at a part of Mark's log (with added
> comments)
>
> > APR 9,[EMAIL PROTECTED]:57:24 Got an inbound connection...
> > XWBTDEV("KEY")="CONNECT|h11130730440|83.235.97.122"
>
> ------------------
>
> Above we seem to have a signal coming in from
> 83.235.97.122
>
> ------------------
>
> > APR 9,[EMAIL PROTECTED]:57:24 LEN={XWB}00060|
> > APR 9,[EMAIL PROTECTED]:57:24 X=, XWBVER=1.108, LEN=00048,
> > MSG=TCPconnect^192.168.0.2^33560^mobile.geekdoc.org^
>
> ------------------
>
> But the RPC message is asking the server to call back
> to 192.168.0.2
>
> ------------------
>
> > APR 9,[EMAIL PROTECTED]:57:24 Final
>
> MSG='TCPconnect^192.168.0.2^33560^mobile.geekdoc.org^'
>
> > APR 9,[EMAIL PROTECTED]:57:24 Entering 'callback' mode
> > APR 9,[EMAIL PROTECTED]:57:24 Entering the loop: X
> > ^%ZOSF("INTERRUPT")
> > APR 9,[EMAIL PROTECTED]:57:24 About to listen for
> > connection...
>
> ------------------
> ------------------
>
> So it seems that the server should be changed to
> ignore the requested callback IP, and just send it
> back to the incoming address.
--
Mark Street, RHCE
http://www.oswizards.com
--
Key fingerprint = 3949 39E4 6317 7C3C 023E 2B1F 6FB3 06E7 D109 56C0
GPG key http://www.oswizards.com/pubkey.asc
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Hardhats-members mailing list
Hardhats-members@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/hardhats-members
