At 08:41 AM 2/12/03 -0800, Tom Eastep wrote:
Yeah, this was my reasoning too (though my thinking about TCP is a bit more involved). And in reading between the lines a bit, I pretty much inferred that EyeBall uses UDP for the p2p part, and TCP only for the connection to the EyeBall server (where no trickery is needed).Ray Olszewski wrote:It's actually easier for UDP since UDP is connectionless. Applications can simply send a datagram to (external_ip,external_port). If the port is in the masquerade range, then it will be "open" and if the EyeBall client running on (internal_ip) has established a port mapping entry in the firewall of (external_port,internal_port) by having sent a datagram to the EyeBall server (who notes the external_port), then the incoming packets will sail right through.At 07:13 AM 2/12/03 -0800, Tom Eastep wrote:Sean E. Covel wrote:BTW, I did send Eyeball Chat a help request[...]I just read their Magic Bullet paper and I think that it works with Dachstein because on Dachstein (as with Seawall), the "Masquerade Port Range" is left open by the firewall. This allows incoming SYN packetsTom -- Can you expand on this just a little bit more? (Or Lynn, can you?) This conclusion is kind of where I got to last night, but only for TCP. What is the equivalent of "SYN packet" detection for UDP? Or, to put it another way, how does iptables (or Shorewall) determine the state associated with a UDP packet? I can't figure it out from the iptables docs I have.
to sail right through the firewall AND will even route it to the correct internal system. It is a cute trick except that it is based on being able to exploit the primative capabilities of ipchains.
After having given it some more thought, I don't believe that the same trick will work with TCP because it would require the EyeBall application to listen() on a connected socket.
But it still leaves unanswered one question that I really would appreciate your (or somebody's -- Lynn?) help with:
iptables lets me specify state rules for ACCEPTing all packet types, not just TCP. For UDP, what test does ipchains apply to a packet to classify it as NEW, ESTABLISHED, RELATED, or INVALID? I see nothing in the UDP spec that it can use (for NEW vs ESTABLISHED, specifically). Is this a bogus capability, or is there some neat trick that I cannot fathom?
--
-------------------------------------------"Never tell me the odds!"--------
Ray Olszewski -- Han Solo
Palo Alto, California, USA [EMAIL PROTECTED]
-------------------------------------------------------------------------------
-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
