[rlug] Re: SNAT (TCP guru needed)

Fri, 02 Nov 2001 11:49:38 -0800 


Iaca acu venii documentat:

http://www.cs.princeton.edu/~jns/security/iptables/iptables_conntrack.html

The important point here is that the conntrack states are not equivalent
to tcp states. We have already seen that a connection doesn't achive the
tcp connection status of ESTABLISHED until the ACK after the
SYN+ACK has been received. 

The representation of the tcp connection states in the state table is
purely for timeouts. You can prove this to yourself by sending an ACK
packet through your firewall to a non-existent machine (so that you
don't get the
RST back). It will create a state table entry no problem because it it
is the first packet of a connection and so is treated as NEW (the entry
will not be marked as ASSURED though).

Da, am mancat bors cu TCP-ul. 
Mai departe scrie la adresa de mai sus.

Paul "multumesc" Moflic


On Fri, 2001-11-02 at 21:38, Paul Catalin MOFLIC wrote:
> 
> S-ar putea sa mananc bors, dar parca netfilter-ul lucreaza la nivelul IP
> si nu stie de conexiune. Aia e treaba TCP-ului. Tuplele sunt formate pe
> baza IP port si nu pe baza de syn/ack (aici e teren miscator deja, am
> uitat multe). Cred ca totusi ar trebui sa umbli la parametri TCP pentru
> conexiune (timeout in special).
> 
> Paul
> 
> On Fri, 2001-11-02 at 21:32, Mihai Marusca wrote:
> > 
> > Am o aplicatie (client) care sta conectata (via TCP, in spatele unui NAT) la
> > un server aflat la o juma' de glob distantza. Din cand in cand trimite cate
> > ceva; din cand in cand primeste ceva.
> > 
> > Chestia e ca dupa o perioada de acalmie (adica trafic 0), la primul byte
> > transmis, aplicatia patzeste fulgerator "connection reset by peer".
> > Aplicatia nu e scrisa de mine, ci de un coleg, asa ca l-am lasat sa-si
> > rezolve problema. S-a zbatut o gramada si nu s-a prins care e smecheria; in
> > schimb i-a pisat la cap pe cei de la capatul celalalt al firului pana cand
> > aia si-au dat seama ca si la ei se intampla le fel.
> > 
> > Azi, intr-un moment de inspiratie divina, mi-am adus aminte ca ca
> > netfilteru' are oarece timeout si, atunci cand e depasit, sterge conexiunea
> > din tabele lui interne. Drept care m-am gandit ca la primul pachet care vine
> > pe o conexiune abandonata de NAT, routeru' ii intoarce un pachet cum ca
> > "conection reset by peer".
> > 
> > Imi poate confirma cineva chestia asta? Daca folosesc un IP rutabil, o sa se
> > intample mai rar?
> > 
> > [Protocolul de comunicatie (deasupra TCP/IP) e foarte rigid; nici o sansa de
> > trimis din cand in cand cate un pachet inofensiv]
> > 
> > Mihai
> > 
> > 
> > 
> > ---
> > Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to 
> > unsubscribe from this list.
> 
> 
> ---
> Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to 
> unsubscribe from this list.


---
Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to 
unsubscribe from this list.

Raspunde prin e-mail lui