Hi,
On Tue, 19 Dec 2006, Martijn Lievaart wrote:
> I do assume in all this that the only ICMP traffic matching RELATED are
> true ICMP errors (afair host/net unreachable and fragmentation needed).
> If this also opens up say ICMP redirect[1] we may have a slight problem.
> It is possible netfilter does this to accomodate bridging setups. Anyone
> can comment on this? If this opens up the connection for any other ICMP
> traffic, I think that's a bug.
The ICMP types for which the packet may be flagged as RELATED are
- destination-unreachable
- source-quench
- time-exceeded
- parameter-problem
- redirect
*if* the inner packet corresponds to an already existing connection.
But he hole punching technique described in the article[1] has nothing to
do with RELATED connections. There are applications running on the client
machines which do initiate the connections from behind the firewall and if
any outgoing connection is allowed by the local policy, the "punching"
naturally succeeds.
If the "enemy" behind the (fire)walls, nothing much can be done.
The article must be corrected at one place: the claim: "After an
outgoing SYN packet the firewall / NAT router will forward incoming
packets with suitable IP addresses and ports to the LAN even if they fail
to confirm, or confirm the wrong sequence number (ACK). Linux firewalls at
least, clearly fail to evaluate this information consistently." is
outdated and not true for 2.6 kernels.
[1]: http://www.heise-security.co.uk/articles/print/82481
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
|