Hi, I''ve been developing a peer-to-peer application, and have recently been trying to add STUNT (http://www.cis.nctu.edu.tw/~gis87577/xDreaming/XSTUNT/Docs/XSTUNT%20Ref erence.htm) to allow firewall/NAT traversal. I got a box with Shorewall to use for testing, and am now trying to work out whether Shorewall is actually designed to prevent such connections? I notice in the FAQs that Instant Messenger requires a UPnP add-on, but my understanding of UPnP is that it''s somewhat different than what I''m trying, so I''m not sure whether this is a similar case. Basically, if the machine behind Shorewall sends out a [SYN] message but Shorewall then receives a [SYN] from the target rather than a [SYN, ACK], would you expect Shorewall to block the [SYN] message or allow it through? Is it possible for Shorewall to block messages without logging it in any way, assuming maximum logging is switched on? An illustration of what I''m seeing using Ethereal & tcpdump is below. I''m afraid that I''ve been unable to find a way to get any files off the box that Shorewall is on so haven''t included the dump - I''m trying to resolve that, but for now I''d just like to start with whether there''s even anything unexpected in what I''m seeing. Many Thanks, Frances ------------------------------------------------------------------------ --- * Machine A (192.168.1.128) behind Shorewall (130.159.106.87) attempts hole punch: 102 21.058079 192.168.1.128 130.159.106.4 2967 > 1134 [SYN] Seq=0 Len=0 MSS=1460 * Listening between firewalls, see hole punch message: 581 18.045671 130.159.106.87 130.159.106.4 2967 > 1134 [SYN] Seq=0 Len=0 MSS=1460 * Dlink firewall (130.159.106.4) in front of machine B blocks message: Blocked incoming TCP connection request from 130.159.106.87:2967 to 130.159.106.4:1134 * Machine B (192.168.0.162) behind Dlink firewall attempts to connect: 156 16.819074 192.168.0.162 130.159.106.87 1134 > 2967 [SYN] Seq=0 Len=0 MSS=1460 157 19.770622 192.168.0.162 130.159.106.87 1134 > 2967 [SYN] Seq=0 Len=0 MSS=1460 * Listening between firewalls, see connect messages from machine B: 672 19.144083 130.159.106.4 130.159.106.87 [TCP ACKed lost segment] 1134 > 2967 [SYN] Seq=0 Len=0 MSS=1460 009 22.095502 130.159.106.4 130.159.106.87 1134 > 2967 [SYN] Seq=0 Len=0 MSS=1460 * Nothing is logged in Shorewall log * Ethereal on Machine A does not see [SYN] messages from machine B * Tcpdump on Shorewall machine shows: arp who-has 130.159.106.4 tell 130.159.106.87 IP 130.159.106.87.2967 > 130.159.106.4.1134 IP 130.159.106.4.1134 > 130.159.106.87.2967 IP 130.159.106.4.1134 > 130.159.106.87.2967 ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Tom Eastep
2007-Mar-23 18:05 UTC
Re: Expected handling of [SYN] when expecting [SYN, ACK]?
Frances Flood wrote:> Basically, if the machine behind Shorewall sends out a [SYN] message but > Shorewall then receives a [SYN] from the target rather than a [SYN, > ACK], would you expect Shorewall to block the [SYN] message or allow it > through?First of all, you should understand that Shorewall isn''t something that runs in your system and filters packets. Shorewall is a set of shell scripts that configures netfilter -- the IP packet filtering/mangling facility in the kernel. So Shorewall itself is not involved in interpreting TCP session startup.> > Is it possible for Shorewall to block messages without logging it in any > way, assuming maximum logging is switched on?There are a number of ways in which packets can be dropped silently. The most likely cause in this case is that Netfilter connection tracking is dropping them as invalid. You can see if that is happening by echo 255 >/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid modprobe ipt_LOG If you see packets being logged (they are logged on any console), then you can try manipulating /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose and ip_conntrack_tcp_be_liberal. I''ve taken a quick look and didn''t find the documentation for those so you''ll have to do the Google search. The Shorewall-generated netfilter ruleset can also silently drop packets through it''s ''Default Actions'' (see http://www.shorewall.net/Actions.html#Default). The method for disabling default actions depends on your Shorewall version -- you must use /etc/shorewall/actions if you are running Shorewall version 3.2 or earlier and you use the *_DEFAULT settings in shorewall.conf if you are running Shorewall 3.2. HTH, -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV