Thanks for you attention
A response coming from another ip is exactly what happens in DCC protocol of IRC, and the module nf_conntrack_irc.ko and nf_nat_irc.ko make it possible by using in the source ip of the expectation the address 0.0.0.0 which works like a wildcard.
Best Regards
Hugo Mendes
________________________________________
De: Leonardo Rodrigues [leolistas@xxxxxxxxxxxxxx]
Enviado: sexta-feira, 24 de Julho de 2009 21:16
Para: Hugo Miguel Mendes
Cc: netfilter-devel@xxxxxxxxxxxxxxx
Assunto: Re: NTP server
Hugo Miguel Mendes escreveu:
> Dear all,
>
> I'm running netfilter on a router operating OpenWRT Kamikaze 8.09, kernel 2.6.25.17.
>
> I have two computers on the router LAN which are programmed to get the time from an NTP server. This NTP server has a load balancing mechanism, so the computer that responds to the NTP request is not the same to where was sent the request. So the response is blocked by netfilter, because that connection wasn't started from the LAN. But the NTP server always keeps the same ports and always listens on port 123. So if you make the request from port 1024 to the port 123 of the server the response will come from 123 to 1024.
the load balancing mechanism for this NTP server is fucking broke.
The load balancing mechanism is the one that should be fixed, not your
netfilter module.
this kind of responde, coming from another ip, wont be allowed by
any possible firewall, which in the last 6-7-8 years probably, are all
statefull ones.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
