From: Jim Carter <jimc@math.ucla.edu>
To: Nathan Whittacre <nathan@stimulustech.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Connection Tracking
Date: Wed, 8 Oct 2003 09:46:32 -0700 (PDT) [thread overview]
Message-ID: <Pine.LNX.4.53.0310080929350.18217@simba.math.ucla.edu> (raw)
In-Reply-To: <3F81AA62.7050404@stimulustech.com>
On Mon, 6 Oct 2003, Nathan Whittacre wrote:
> The way this protocol works is that the remote computer connects to it
> on port 1066, exchanges some data over the existing connection and then
> the server initiates a connection back to the client on the client's
> port 1066. This is fine as long as the client has a static, un-NAT'd
> internet IP, but the connection is dropped by the server if it does not
> get a reply from port 1066. I have a few client machines on a NAT'd
> network that need to connect to this remote server, but with only one
FTP does the same kind of thing except the return port varies; the client
tells the server what port it's listening on. If you have access to the
NAT box you could perhaps put in a special rule so port 1066 (for the
return connection) was DNATted to just one client's internal IP address and
restricted to just port 1066 rather than the default high-numbered range.
(I assume the client insists on a source port of 1066.) If it's a
user-owned inexpensive NAT box that you can't configure, you're up the
creek. I believe the Linksys "Broadband Router" for $80 can do the needed
DNAT. But then you get into a nightmare of user support issues.
Why the callback? It really makes things complicated. If you're trying to
enhance security, as you might with a modem connection, each TCP connection
includes return packets, which will not return if the originator's address
is spoofed. Also, in principle the Black Hats can invade your ISP and fake
the DNS records. Much better to use TLS at 4th layer or IPSec at 3rd
layer, and only talk to remote machines that are on your authorization
list.
James F. Carter Voice 310 825 2897 FAX 310 206 6673
UCLA-Mathnet; 6115 MSA; 405 Hilgard Ave.; Los Angeles, CA, USA 90095-1555
Email: jimc@math.ucla.edu http://www.math.ucla.edu/~jimc (q.v. for PGP key)
next prev parent reply other threads:[~2003-10-08 16:46 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-10-06 17:46 Connection Tracking Nathan Whittacre
2003-10-08 16:46 ` Jim Carter [this message]
2003-10-08 17:41 ` Nathan Whittacre
2003-10-08 18:09 ` Jim Carter
-- strict thread matches above, loose matches on Subject: below --
2012-09-03 16:35 Nicole
2012-09-04 11:30 ` Pablo Neira Ayuso
2003-10-06 17:42 Nathan Whittacre
2003-01-09 6:40 Amit Kumar Gupta
2002-06-21 15:25 Preston Wade
2002-06-21 14:54 Preston Wade
2002-06-21 15:03 ` Ramin Alidousti
2002-06-21 15:05 ` Antony Stone
2002-06-21 15:16 ` Patrick Schaaf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Pine.LNX.4.53.0310080929350.18217@simba.math.ucla.edu \
--to=jimc@math.ucla.edu \
--cc=nathan@stimulustech.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).