Re: Firewall frustration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Christopher Chan wrote:

ip src/dest is used for routing decisions by the kernel. The IP state machine (check the RFC or any decent TCP/IP textbook) is really quite simple. But iptables sticks its nose into the center of that state machine and can mangle addresses to change how packets flow through the machine, or just simplely yank packets right out of the machine with a simple NO (drop).

So in my mind's eye of the IP state machine (my MSU CPS 410 prof was death on state machines; turn in a perfectly executing assignment without one and there went half your grade. See HIP for its state machine) is dictated by iptables as to what it is allowed to route.

That just means iptables can influence routing by manipulating packet headers. Routing is still controlled by the kernel.
We are playing with words here, and english tends to be too rich in interpretation. I work on standards. I let one regional joke left in an RFC: 2410, the Null ESP cipher. There we joke about the null cipher having a key length of zero. A very America joke for at the time we were killing aspects of the ITAR control on crypto export. But a few years later, over at my day job at ICSAlabs, we are trying to figure out why this one firewall product for TW is not working with the others. The connections are terminated in the ISAKMP negotiation. We dig down and find that there is an ISAKMO ESP-NULL proposal with a key payload with a value of zero. No one else is accepting this and rejects the whole ISAKMP exchange per the ISAKMP RFC. We then find a few other IPsec implementations coming out like this and all the authors are people following on, just reading the RFCs and NOT getting the joke. There are some MAD developers as they have to change their code,and some blushing IETFers as we realize we have to maintain the lore of the RFC development as there are other RFCs with zingers in them.

Over at the IEEE 802, we are voting ballots on wording that can be interpreted on way with the Webster dictionary and another with the Oxford dictionary.

So I am right about iptables controlling routing and you are right about iptables NOT controlling routing, only influencing it. What does 'control' mean in this context? IEEE is really big on state machines and truly covers the transfer of 'control' from one layer to another. Look at the MLME in 802.11. Look at the 802.1X machines. So since I have to live this control architecture and work in live debates about what layer is controling what, I have a particular language set.


BTW, should we table this debate? Webster says that means stopping, 'taking the subject off the table.' Oxford says that means to start, 'placing the subject on the table.' Boy did we have some moments back in the mid-90s with the ISO crowd descended on the IETF. Also can we reach a concensus here? Webster will accept a majority, Oxford wants complete agreement. (Or at least that is what these sources said back in the mid-90s when we lived Bernard Shaw's line of: 'Two nations separated by a common language')


:)

Now I have to hop over to the Asterisk list to figure why with one firewall the INVITE properly redirects the RTP to the RTP server, and the with the other firewall this is not in the INVITE so the RTP flow does not..... ARGH!!!!!


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux