On Thu, 23 May 2002, Antony Stone wrote: > > Globus, a grid computing package, relies on an aspect of UDP that is > > seldom used. Specifically, a reply can come from anywhere on the planet, > > not just from the destination of the prompting packet.
> Why should UDP allow a packet from machine A to machine B to be replied with > a packet from machine C ? I don't understand the sense in this.... UDP, unlike TCP, is by definition connection-less. When you open() a UDP socket, you are defining only one endpoint (your IP/port). Any other endpoint, including your IP/port2, or alien IP/port3, can send a packet to it. It's currently left up to userland to decide whether that packet is valid. > You seem to be suggesting that de-masquerading might be done based solely on > the destination address/port of the replying packet. > eg a packet is sent from address A, port a, to address B, port b. Normally > you'd expect to see a reply from Bb back to Aa, but you're suggesting that a > reply from Cc to Aa should be de-masqueraded and allowed in through the > firewall ? Check your history. 2.2 kernels had this functionality on by default for a while, until the default was changed to off (due to CERT's wolf-cry). But the option still existed. > Sounds to me like: > a) a pretty strange request "Eye of the beholder". > b) a potentially big security hole Yes, whether or not a NAT box is involved. Security is a separate issue that can be dealt with through filtering, among other things. > c) a fairly easy thing to implement as a patch to existing code (because > you're removing a check which is already there - simpler than adding > something new) Nada. De-masq'ing is done by common code. The protocol isn't involved, except in providing that common code with a reverse mapping. But the conntrack protocol API doesn't allow the protocol to know what packet direction it is to deal with. That would be an incompatible change. > However, I'm not the person to create that patch :-( I'm not asking you to. But I can do the work. Been there, done that sort of thing, albeit back in the days when masquerading was in its infancy. > Maybe you should either try asking the netfilter developers' list, or look > through patch-o-matic and see who has produced a patch closest to what you > need, and ask if they're able to do another one for you ? There's no patch-o-matic for this, even in the bleeding edge iptables. Secondly, I assume developers are listening. > Best of luck with the request, and I'm fascinated to know why this is > considered a sensible way to run UDP.... One can easily run DNS this way, for load balancing, etc. Marc. +----------------------------------+-----------------------------------+ | Marc Aurele La France | work: 1-780-492-9310 | | Computing and Network Services | fax: 1-780-492-1729 | | 352 General Services Building | email: [EMAIL PROTECTED] | | University of Alberta +-----------------------------------+ | Edmonton, Alberta | | | T6G 2H1 | Standard disclaimers apply | | CANADA | | +----------------------------------+-----------------------------------+ XFree86 Core Team member. ATI driver and X server internals.
