On 2007-01-05 14:59, Gary Mills wrote:
> On Fri, Jan 05, 2007 at 01:34:43AM +0000, Jefferson Ogata wrote:
>> 3. Serving box E receives the SYN packet and responds with a SYN/ACK
>> from E:T -> C:P. The socket on the serving box is in SYN_RCVD state with
>> remote endpoint C:P. Since the SYN/ACK destination C is remote, E sends
>> the packet out through the default router, so the translating box D
>> never sees this packet.
>
> Could serving box E fake the source of that packet so it appears to
> come from translating box D? Is that all that's needed to make
> this work?
Not sure. IP Filter expects to see both sides of the conversation so it
can track the connection from SYN_SENT to ESTABLISHED and ultimately
CLOSED. If it sees only one side, it may not forward or translate
(depending on the configuration) non-SYN packets, or you may accumulate
NAT entries until there's a problem. You'd have to test it, or maybe
someone else knows for sure.
--
Jefferson Ogata <Jefferson.Ogata@noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt@noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service
|