<< | Thread Index | >> ]    [ << | Date Index | >> ]

Subject: Re: what port number to use?
From: Kambiz Aghaiepour <kambiz,AT,redhat,DOT,com>
Date: Thu, 9 Aug 2001 17:27:09 +0200
In-reply-to: <Pine.SOL.4.10.10108082118500.28873-100000@masto.uku.fi>

I see what you're saying.  I was thinking about network devices that may not
keep state tables for UDP traffic.  But in either case, if I were setting up
the NATing firewall (e.g. Linux box with 2.4 kernel, or network device such as
cisco pix), I would set the default policy to REJECT for incoming UDP
connections, except for well documented exceptions.  If the firewall in
question (the NATting firewall) was setup securely, the return packets for
CIPE (or whatever UDP traffic was coming in) should be dropped.  Don't you
think so?

Kambiz

Karl Kleinpaste wrote:
> 
> Kambiz Aghaiepour <kambiz,AT,redhat,DOT,com> writes:
> 
> > Actually, I don't think this would work because cipe is udp
> > based. So if the NAT endpoint establishes the connection to the
> > non-NAT, the non-NAT will try to respond with UDP traffic destined
> > to the NATting firewall, which drops the packet.
> 
> I don't know what NAT you're familiar with, but many incantations of
> NAT speak UDP just fine, including Linux IP masquerading; the NAT
> firewall forwards back to the internal host, having masqueraded the IP
> address completely along with shifting the UDP port the internal host
> believed was in use.  Dismantlement of the NAT "connection" is based
> on a simple lack-of-activity timeout.  One-sided NAT CIPE is perfectly
> reasonable.
> 
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive: 
><URL:http://sites.inka.de/~bigred/devel/cipe.html>

-- 
\o__O  o       Kambiz Aghaiepour     -       Red Hat, Inc.       o   o
  \_  /|\  Sr. System Administrator  |\|  (919) 547-0012 x251   //\ //\
   |\  |\ -=-=-=-=-=-=-=-=-=-=-=-=-  | | -=-=-=-=-=-=-=-=-=-=-   //  //
  / /  |/  mailto:kambiz,AT,redhat,DOT,com    | http://www.redhat.com   |\  ||





<< | Thread Index | >> ]    [ << | Date Index | >> ]