On Wednesday 12 February 2003 11:05 am, Ray Olszewski wrote: > Yeah, this was my reasoning too (though my thinking about TCP is a bit more > involved). And in reading between the lines a bit, I pretty much inferred > that EyeBall uses UDP for the p2p part, and TCP only for the connection to > the EyeBall server (where no trickery is needed).
OK, Dachstein doesn't filter any high UDP ports which leaves the NAT'ing udp ports open for connection.... Shorewall does through the conntrack filter. I'm assuming the TCP portion of the connection (and possibly the UDP connetion setup) is done through Eyeball's server. This will also work with iptables if conntrack is NOT loaded, and also what I imagine the Eyeball doc eludes to. > But it still leaves unanswered one question that I really would appreciate > your (or somebody's -- Lynn?) help with: > > iptables lets me specify state rules for ACCEPTing all packet types, not > just TCP. For UDP, what test does ipchains apply to a packet to classify it > as NEW, ESTABLISHED, RELATED, or INVALID? I see nothing in the UDP spec > that it can use (for NEW vs ESTABLISHED, specifically). Is this a bogus > capability, or is there some neat trick that I cannot fathom? I don't think it does, I believe they sniff the connection through their application and locate the NAT port that is being used on the remote firewall(s). I don't believe there is a SYN-type UDP packet involved in the connection. But this is merely a WAG. I really am not seeing anything that Tom hasn't stated and I haven't gone through any white-papers on this type of exploit (connection). ;-) It will definately be interesting if there is something else involved though.. I would like to hear about it as well! -- ~Lynn Avants Linux Embedded Appliance Firewall developer http://leaf.sourceforge.net ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
