From: Pascal Hambourg <pascal.mail@plouf.fr.eu.org>
To: Dave Sparks <Dave.Sparks@Sophos.com>
Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
"'netfilter@vger.kernel.org'" <netfilter@vger.kernel.org>
Subject: Re: final packet not natted, rfc1918 address sent to internet
Date: Wed, 24 Nov 2010 11:24:44 +0100 [thread overview]
Message-ID: <4CECE7EC.7050703@plouf.fr.eu.org> (raw)
In-Reply-To: <alpine.DEB.2.00.1011240938190.27970@blackhole.kfki.hu>
Jozsef Kadlecsik a écrit :
> On Wed, 24 Nov 2010, Dave Sparks wrote:
>
>> I noticed a problem that happens on all our firewalls (various 2.6 and
>> Shorewall version) where sometimes the final packet in a conversation
>> will not be natted. What happens is the src IP is not rewritten, and
>> the rfc1918 src address is sent to the internet.
[...]
> I guess the packet in question has got INVALID state: those are not
> NAT-ed (being INVALID, cannot be). So add a rule which drops INVALID
> packets.
I agree. In a NAT setup, packets with the INVALID state should be
dropped because NAT relies on connection tracking.
The trace shows that the last packet is a FIN segment retransmitted
multiple times because it was not ACK'ed by the other side. It should
not be the last packet of the connection, the other side should send an
ACK segment. I guess that after a 60-second delay the connection
tracking entry expired and this is why the FIN packet got the INVALID
state. The root cause is the missing ACK.
prev parent reply other threads:[~2010-11-24 10:24 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-11-24 5:56 final packet not natted, rfc1918 address sent to internet Dave Sparks
2010-11-24 8:40 ` Jozsef Kadlecsik
2010-11-24 10:24 ` Pascal Hambourg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CECE7EC.7050703@plouf.fr.eu.org \
--to=pascal.mail@plouf.fr.eu.org \
--cc=Dave.Sparks@Sophos.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).