Hi, On Tue, 19 Dec 2006, Martijn Lievaart wrote: > I do assume in all this that the only ICMP traffic matching RELATED are > true ICMP errors (afair host/net unreachable and fragmentation needed). > If this also opens up say ICMP redirect[1] we may have a slight problem. > It is possible netfilter does this to accomodate bridging setups. Anyone > can comment on this? If this opens up the connection for any other ICMP > traffic, I think that's a bug. The ICMP types for which the packet may be flagged as RELATED are - destination-unreachable - source-quench - time-exceeded - parameter-problem - redirect *if* the inner packet corresponds to an already existing connection. But he hole punching technique described in the article[1] has nothing to do with RELATED connections. There are applications running on the client machines which do initiate the connections from behind the firewall and if any outgoing connection is allowed by the local policy, the "punching" naturally succeeds. If the "enemy" behind the (fire)walls, nothing much can be done. The article must be corrected at one place: the claim: "After an outgoing SYN packet the firewall / NAT router will forward incoming packets with suitable IP addresses and ports to the LAN even if they fail to confirm, or confirm the wrong sequence number (ACK). Linux firewalls at least, clearly fail to evaluate this information consistently." is outdated and not true for 2.6 kernels. [1]: http://www.heise-security.co.uk/articles/print/82481 Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
