On Thursday 23 May 2002 8:40 pm, Marc Aurele La France wrote: > Globus, a grid computing package, relies on an aspect of UDP that is > seldom used. Specifically, a reply can come from anywhere on the planet, > not just from the destination of the prompting packet.
Why should UDP allow a packet from machine A to machine B to be replied with a packet from machine C ? I don't understand the sense in this.... You seem to be suggesting that de-masquerading might be done based solely on the destination address/port of the replying packet. eg a packet is sent from address A, port a, to address B, port b. Normally you'd expect to see a reply from Bb back to Aa, but you're suggesting that a reply from Cc to Aa should be de-masqueraded and allowed in through the firewall ? Sounds to me like: a) a pretty strange request b) a potentially big security hole c) a fairly easy thing to implement as a patch to existing code (because you're removing a check which is already there - simpler than adding something new) However, I'm not the person to create that patch :-( Maybe you should either try asking the netfilter developers' list, or look through patch-o-matic and see who has produced a patch closest to what you need, and ask if they're able to do another one for you ? Best of luck with the request, and I'm fascinated to know why this is considered a sensible way to run UDP.... Antony.
