Re: Need a one-armed port forwarder

To:	Jefferson Ogata <Jefferson.Ogata@noaa.gov>
Subject:	Re: Need a one-armed port forwarder
From:	Gary Mills <mills@cc.umanitoba.ca>
Date:	Thu, 4 Jan 2007 20:17:12 -0600
Cc:	IPFilter <ipfilter@coombs.anu.edu.au>
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	ipfilter-list@securepoint.com
In-reply-to:	<459DAB33.3060209@noaa.gov>
References:	<20070104022152.GA11019@cc.umanitoba.ca> <459D23F8.60603@alcatel-lucent.com> <20070104224339.GA25637@cc.umanitoba.ca> <459DAB33.3060209@noaa.gov>
Sender:	owner-ipfilter@coombs.anu.edu.au
User-agent:	Mutt/1.5.10i

On Fri, Jan 05, 2007 at 01:34:43AM +0000, Jefferson Ogata wrote:
> On 2007-01-04 22:43, Gary Mills wrote:
> > I've already found most of those.  There are lots of daemons that will
> > forward TCP connections.  I've tried some of them.  The problem with
> > them is that they initiate new connections.  That means that the
> > originating IP address is lost.  I want to preserve that information
> > so that client logging works correctly on the destination server.
> 
> Think about what actually would happen in your desired scenario:
> 
> 1. Remote client C sends a SYN packet from source endpoint C:P to
> service destination endpoint D:S, which resides on a translating box D.
> On the client, the socket is in SYN_SENT state with remote endpoint D:S.
> 
> 2. Translating box receives SYN packet and translates destination to E:T
> and retransmits it to serving box E. So now the SYN packet is C:P -> E:T.
> 
> 3. Serving box E receives the SYN packet and responds with a SYN/ACK
> from E:T -> C:P. The socket on the serving box is in SYN_RCVD state with
> remote endpoint C:P. Since the SYN/ACK destination C is remote, E sends
> the packet out through the default router, so the translating box D
> never sees this packet.
> 
> 4. Client box C receives SYN/ACK from E:T and discards it, because it
> has no pending TCP connection in SYN_SENT state with E:T as the remote
> endpoint.

Thanks for the detailed explanation.  Obviously my knowledge of TCP is
lacking, or I would have already known why it couldn't work.  It was
all this talk of `rdr must go through the firewall' that confused me.

> There is cluster load balancing that relies on shared IPs and ARP
> balancing and does no translation of destinations, but this is a
> completely different animal from IP Filter and requires a specialized
> network setup.

The one I was thinking about is Sun Cluster, although I can only guess
how it works from what I've read so far.  The documentation does say
that ipfilter can't be run on cluster nodes.  I assumed this was
because the cluster software already uses the pfil streams module for
its own purposes.  Cluster nodes typically are all connected to the
same network.  However there is a private interconnect between nodes.
I suppose that could be used to redirect connections to other nodes.

-- 
-Gary Mills-    -Unix Support-    -U of M Academic Computing and Networking-

<Prev in Thread]	Current Thread	[Next in Thread>
Need a one-armed port forwarder, Gary Mills Message not available Re: Need a one-armed port forwarder, Corey Johnston Re: Need a one-armed port forwarder, Jim Sandoz Re: Need a one-armed port forwarder, Gary Mills Re: Need a one-armed port forwarder, Corey Johnston Re: Need a one-armed port forwarder, Håkan Källberg Re: Need a one-armed port forwarder, Jett Tayer Re: Need a one-armed port forwarder, Jefferson Ogata Re: Need a one-armed port forwarder, Gary Mills <= Re: Need a one-armed port forwarder, Gary Mills Re: Need a one-armed port forwarder, Jefferson Ogata Re: Need a one-armed port forwarder, Stuart Remphrey RE: Need a one-armed port forwarder, Blaster

Previous by Date:	Re: Need a one-armed port forwarder, Jefferson Ogata
Next by Date:	RE: Need a one-armed port forwarder, Blaster
Previous by Thread:	Re: Need a one-armed port forwarder, Jefferson Ogata
Next by Thread:	Re: Need a one-armed port forwarder, Gary Mills
Indexes:	[Date] [Thread] [Top] [All Lists]