Hmm, I don't understand... As both hosts are NATed, this would mean that the NAT would allow the SYN to pass (coming from the "Internet" going to the LAN). But this is not possible, as no state has been created on this one of the two NATs (the host hasn't sent out a SYN yet). Can you explain me, what I'm missing here? Thanks, Christoph On Sat May 30 2009 wrote Jozsef Kadlecsik: > On Sat, 30 May 2009, Christoph Paasch wrote: > > one question about that: > > How can the host receive the SYN packet (and afterwards send the RST), if > > conntrack does not support TCP simultaneous open? > > The first SYN (if the firewall rules allow it) are let through the > firewall and will reach the destination. If that hasn't sent SYN yet, then > it'll respond with RST, which will pass the firewall too. > > But running tcpdump on both interfaces of the firewall would help most. > > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : KFKI Research Institute for Particle and Nuclear Physics > H-1525 Budapest 114, POB. 49, Hungary -- Christoph Paasch www.rollerbulls.be --
Attachment:
signature.asc
Description: This is a digitally signed message part.
