When nodes on the LAN are masqueraded Linux on the gateway will attempt to use the same port that an app on the LAN used. This can only be done once after which Linux will arbitrarily assign ports.
Using the example of VoIP phones which use a default port of 5060, the first phone to register with proxy server will be assigned port 5060 on the gateway and the second would be assigned port 1024. Keep-alive packets are used by the phones, the proxy or both to maintain the NAT bindings. The proxy makes note of the originating port. Incoming packets are routed correctly. Now consider the case of a application running on the gateway box. It would send and listen on port 5060. In this case we would not use keep-alive packets. We open port 5060 on the firewall so that we can receive calls from the public internet. I have observed that a phone on the LAN can bind to port 5060 even though the application had grabbed port 5060. The result is that packets intended for the application will be routed to the phone on the LAN. The phone on the LAN also gets packets intended for it. This was confirmed by /proc/net/ip_conntrack and also by capturing packets with a sniffer. The contents of the packets showed that some of the packets were clearly not intended for the phone that received them. The application listening on port 5060 received nothing. Rob Dyck - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
