On 03/08/2018 01:12 AM, zrm wrote: > (2.a) The client is adversarial and is trying to circumvent the firewall > rules. Nope. PCP is not a firewall. The questions of trust and config are in the humans hand. If the PCP deamon's configuration says the mapping should be valid, then your firewall rules should not violate that promise. If your firewall rules say that a mapping should not be honored then the PCP deamon's configuration should not be lying about it to the client. You are failing to understand the simple fact that you _SHOULD_ _NOT_ be trying to probe your own firewall in response to a client request issued to a third-party facility. You are also missing the part where the administrator may want to issue the blocked ports to specific users after specific requests to the PCP demon, so probing your own firewall actually removes features. > (2.b) The client is asking the PCP daemon to recreate a connection that > was valid with the previous configuration but not the current > configuration. Then it will fail because the new PCP deamon is newly configured. You aren't listening. Enjoy your over-complicated project that can never fill its corner cases and can be used as a local denial of service attack on your own firewall. I'm out. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
