Re: diald with 2.1.108

Fri, 21 Aug 1998 13:24:35 -0400 


[EMAIL PROTECTED] said:
>  So the real problem is that in certain situations (masqueraded
> connections, kernels > 2.1.108), tcp.live is calculated incorrectly.
> We should really fix that, I guess, instead of patching over it in the
> filter rules.  Not tonight, though.  :-) 

Has anyone found a complete answer to this problem yet?

I've implemented the rules suggested...

Rule 6: ignore tcp ip.tot_len=40,tcp.live,!tcp.fin
Rule 13: keepup tcp 30 tcp.fin
Rule 14: ignore tcp tcp.fin


This only helps a little.

When a masqueraded host connects to the outside world, I get two entries in 
the diald connection queue - one from the client to the outside host, and one 
from the firewall to the outside host:

(Firewall: 158.152.16.50, Masq client: 10.0.1.4, outside host: 131.111.217.175)

tcp          10.0.1.4/2464   131.111.217.175/23     00:07:28
tcp   131.111.217.175/23       158.152.16.50/61343  00:07:28


Surely the connection from the masqueraded host (10.x.x.x) shouldn't appear in 
the connection queue at all - if diald is snooping the packets which go out 
the ISDN link then it shouldn't see anything from the private network.

Whatever the cause, the result is that only one of the connections is removed
from the queue when the session ends, depending on which machine actually
terminates the connection. If the internal machine terminates the connection,
then the connection from the firewall to the outside remains in the queue, and
vice versa. The link still remains up for ten minutes waiting for the other
connection to time out.

I've tried Mike Jagdis' version which uses (AF_PACKET, SOCK_DGRAM) instead of 
(AF_INET, SOCK_PACKET), and it behaves entirely the same way. It still sees 
packets that it shouldn't.





----                              ----                              ----
David Woodhouse        [EMAIL PROTECTED]       Office: (+44) 1223 812896 
 Project Leader,     Process Information Systems      Mobile: (+44) 976 658355
    Axiom (Cambridge) Ltd., Swaffham Bulbeck, Cambridge, CB5 0NA, UK.
             finger [EMAIL PROTECTED] for PGP key.



-
To unsubscribe from this list: send the line "unsubscribe linux-diald" in
the body of a message to [EMAIL PROTECTED]

Reply via email to