On Sat, 30 May 2009, Christoph Paasch wrote: > Hmm, I don't understand... > > As both hosts are NATed, this would mean that the NAT would allow the SYN to > pass (coming from the "Internet" going to the LAN). > > But this is not possible, as no state has been created on this one of the two > NATs (the host hasn't sent out a SYN yet). > > Can you explain me, what I'm missing here? The intended packet flow is as follows: Time/action Host A NAT A NAT B Host B Send SYN A SYN -> <- B SYN SYN NATed A SYN -> <- B SYN Cross other fw <- B SYN A SYN -> SYN arrives B SYN A SYN Reply A SYN/ACK-> <- B SYN/ACK ... When the SYNs arrive to the other firewall, it's already opened up from inside. Of course both communicating party must know in advance the mapped IP address and source port of the other side. Because RST packets were generated by the hosts, it means the timing was not appropriate and A SYN reached B before it had sent its SYN. But it means we have to assume DNAT/REDIRECT rules was set up as well, otherwise B NAT would not let pass the SYN from A to B. But this is assumption because we do not know the full details of the settings. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
