Linux A--------NAT/Firewall---| Internet |-----------Linux B
Even though everyone told me... i didn't listen. I tried running a packet
sniffer on the peer side (Linux B) and found out that when Linux A sends a
packet out, the NAT box performs port address translation. This comes in on
Linux B. Linux B responds without any problem. Now if I stop Linux A, after
5
seconds, the NAT box forgets the translation. So that's the problem. I
guess I
can set the ping for every 5 seconds. I talked to my ISP and they'll probably
put my box outside the firewall. But in the meantime, is there any other
solution than setting the ping option for every 5 seconds or getting my ISP to
turn off PAT?
Thanks
Amith
> ----- Message from marco.palumbi,AT,tiscali,DOT,it ---------
> Date: Thu, 13 Feb 2003 17:32:20 +0100
> From: Marco Palumbi <marco.palumbi,AT,tiscali,DOT,it>
> Reply-To: Marco Palumbi <marco.palumbi,AT,tiscali,DOT,it>
> Subject: Re: options config...
> To: Amith Varghese <amith,AT,xalan,DOT,com>
>
>
>
> Amith Varghese wrote:
> >
> > > What you're seeing is the normal behavior of NAT. When a UDP packet
> > > is directed through a NAT it's source address is modified to that of the
> NAT
> > > system and it is sent along it's way, when a response returns the NAT
> system
> > > must consult it's UDP list and remember where the response should be
> > > directed. The NAT table is only short-lived. I believe that Windows
> ICS
> > > only has a 60 second time-out. On my systems I keep a 30 second ping
> > > going from behind a NAT firewall to an external system with a static
> address.
> >
> >
>
> the problem is the port translation - PAT (port address translation)
>
> The NAT/Firewall translates the port address of the udp packet outgoing from
> the
> linux A.
> The association of the original port in the linux A to the translated port
> from
> the NAT/Firewall remain valid for some time of inactivity (say 60 sec's)
> after
> while if linux A sends a new packet it is translated to a new address.
>
> during this time a packet sent to NAT/Firewall at the translated address
>port
> is
> sent to Linux A to the original port.
>
>
> The key is that every time Linux B receives a packet from e new port it
> remember
> this port and will use this for the answer to Linux A
>
> So consider the scenario
>
> cipe on linux A use port 6000
>
> NAT/Firewall map port 6000 to port 6000 of linux A
>
> cipe on Linux B use port 6000
>
>
> linux B start sending a packet from its port 6000 to NAT/Firewall port 6000
>
> NAT/Firewall send the packet to Linux A port 6000
>
> Linux A answer sending a packet from its port 6000 to Linux B port 6000
>
> when the packet cross the NAT/Firewall will be translated to we say port
> 10000
>
> Linux B sees the port changed to 10000 and will answer to this port so:
>
> Linux B answer sending a packet from its port 6000 to NAT/Firewall port
>10000
>
> NAT/Firewall send the packet to Linux A port 6000
>
> if you stop the traffic for more of 60 sec's NAT/Firewall will forget the
> association port 10000<->port 6000
>
> so if Linux B send a new packet he will send to port 10000 but the
> association
> is now no longer valid....
>
> in such a scenario could be better not to have the cipe feature of port
> tracking
> on Linux B.
> For a similar problem i hacked the code of cipe.
> The best thing would be to have an option for turning of this behavior .
>
> Marco
>
> --
> Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> Other commands available with "help" in body to the same address.
> CIPE info and list archive:
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>
>
>
> ----- End message from marco.palumbi,AT,tiscali,DOT,it -----