Hi,
I am confused with my comments about point 3) in my previous email.
And I not sure if your answer relates to my question.
.
I said: (the complete part is attached at the end)
>> (Remember that my default policy is deny-all.) then at the FW I
>> need NOT 1 but 2 rules !! , i.e.:
>>
>> Rule 1) Allow traffic from 10.1.1.5 -port 5000 to 10.1.2.11-port 80
>>
>> and
>>
>> Rule 2) Allow traffic from 10.1.2.11-port 80 to 10.1.1.5 -port 5000
>>
>>
>> Otherwise (with only 1 rule) the FW will filter the traffic in one
>> or other direction.
The main doubt is about
a) "configuring a path downstream" in NATFW specification means "NSIS
is downstream but associated traffic can be in any direction over the
path"
against
b) "configuring a path downstream" in NATFW specification means "NSIS
is downstream AND associated traffic is only in downstream direction
over the path too"
I think that your answer
> NSIS signaling (and thus the meaning on the NSLP layer) is
> uni-directional.
is OK in NSIS context, but what I am looking for is to decide if the
implementation at 'iptables' level is OK or not.
Example: I connect to a WWW server with my browser. The traffic is
1) MyPC--->WWWserver - I send a TCP SYN packet to the destination,
2) WWWserver <---MyPC - destination sends back SYN+ACK
3) MyPC--->WWWserver - I reply with an ACK.
Note that there is a traffic from/to MyPC to/from WWWserver.
Now suppose that I want to open a firewall using NSIS to allow my connection.
In practice we need 2 entries in IPTABLES
1) One entry to allow MyPC--->WWWserver direction
2) Another entry to allow WWWserver <---MyPC direction
This is because in iptables we configure FROM IP/port TO IP/port.
Therefore we need 2 rules.
Example:
MyPC : IP 200.233.16.6 port 4000
WWWserver : IP 200.233.228.9 port 80
rule 1: FROM 200.233.16.6 ( 4000 ) TO 200.233.228.9 ( 80 ) ; SYN case,
ACK case
rule 2: FROM 200.233.228.9 ( 80 ) TO 200.233.16.6 ( 4000 ) ; SYN+ACK case
So, about this was my question : We need 2 entries in IP tables
(traffic that go and that return).
This thread comes about that you are using only one call to
iptables, and it is working because you have an allow all policy thus
you can not notice any strange.
In my case I have a deny-all policy, so, if I do not add the second
entry in iptables I will never receive the SYN+ACK.
Then in createPinhole() (assume an allow-all policy)
For example, I think that you need to add an additional line after
else if (ruleaction == 2){
sprintf(buf, "iptables -A natfwforward -p tcp -s %s/%d --sport %d -d
%s/%d --dport %d -j DROP ",
saddrbuf, srcPrefix, srcPort,
daddrbuf, destPrefix, destPort);
for example something like
sprintf(buf, "iptables -A natfwforward -p tcp -s %s/%d --sport %d -d
%s/%d --dport %d -j DROP ",
daddrbuf, destPrefix, destPort
saddrbuf, srcPrefix, srcPort,
);
Note the switch between origin/destination IPs/ports
Regards,
Sergio
>> 3)
>> (Remember that my default policy is deny-all.) then at the FW I
>> need NOT 1 but 2 rules !! , i.e.:
>>
>> Rule 1) Allow traffic from 10.1.1.5 -port 5000 to 10.1.2.11-port 80
>>
>> and
>>
>> Rule 2) Allow traffic from 10.1.2.11-port 80 to 10.1.1.5 -port 5000
>>
>>
>> Otherwise (with only 1 rule) the FW will filter the traffic in one
>> or other direction.
>>
>>
>> Do you agree? Comments?
>>
>>
>> My question is :
>>
>> 1) Should I use 1 time nsis-natfw and open the traffic for both
>> sides (i.e. 2 calls to Iptables in createPinhole())?
>>
>> or
>>
>> 2) Should I use 2 times nsis-natfw and open the traffic for one
>> direction per execution?
>>
>>
>> (I think that the the correct answer is 1, otherwise, how should
>> be the MRI in case 2...)
>
> NSIS signaling (and thus the meaning on the NSLP layer) is
> uni-directional. Thus you are right, that one signaling session will
> only open one direction. You will have to initiate NSIS signaling from
> both sides (!) to open the pin hole if your data is bi-directional.
> So the correct answer is your case 2 and the MRI is straight forward. A
> bi-directional flow is just a set of 2 uni-directional flows
> and so you need 2 NSIS sessions and the corresponding MRIs are just as
> usual. In your example:
> You run the NATFW client on 10.1.1.5 with MRI set to (10.1.1.5 -port
> 5000 to 10.1.2.11-port 80) and
> you run the NATFW client on 10.1.2.11 with MRI set to (10.1.2.11-port
> 80 to 10.1.1.5 -port 5000).
>
> Henning: Is this correct for the NATFW NSLP?
>