Hi Sergio,
these ICMP packets are triggered by your TCP/IP stack, because there is no process listening on these ports.
There is nothing wrong here, this is absolutely expected the way how GIST intercepts packets (BPF, raw sockets).
I have not looked into your dumps in detail, but I assume that this problem is not related to a particular NSLP, but GIST (try Ping NSLP).
Right now we don't bother about this or filter it in a fw outbound chain (ugly!). Finally, we need sth. clean here, of course. Suggestions?
Henning
sergiole@tml.hut.fi wrote:
Hello,
I have some ICMP packets with the content (Destination unreachable) / (Port unreachable) when I use CREATE in NATFW. Could you suggest if it is a problem of the implementation or configuration?
The scenario is
DS NI NF NR 10.1.1.5 10.1.1.7 / 10.1.2.7 10.1.2.11 . . . . . . .---------CREATE---------->. . . . . . .---------CREATE---------->. . . . . .<-------RESPONSE----------. .<-------RESPONSE----------. . . . .
by using in the NI: ./nsis-natfw --create -s 10.1.1.5 -d 10.1.2.11 --sport 5004 --dport 5019
The flow above is Ok, but I have some ICMP packets with the content (Destination unreachable) / (Port unreachable). Frames 3, 12 and 14 below.
Config.ini are as follows
{ NI Node 10.1.1.5
IPv4[0].addr = 10.1.1.5 IPv4[0].net = 0.0.0.0 IPv4[0].mask = 0 IPv4[0].natfw.useAsExternalAddress = yes IPv4[0].natfw.isPrivateNet = yes natfw.isNAT = no natfw.isFW = no }
{ NF Node 10.1.1.7 / 10.1.2.7
IPv4[0].addr = 10.1.1.7 IPv4[0].net = 10.1.1.0 IPv4[0].mask = 24 IPv4[0].natfw.useAsExternalAddress = no IPv4[0].natfw.isPrivateNet = yes
IPv4[1].addr = 10.1.2.7 IPv4[1].net = 10.1.2.0 IPv4[1].mask = 24 IPv4[1].natfw.useAsExternalAddress = yes IPv4[1].natfw.isPrivateNet = no natfw.isNAT = no natfw.isFW = yes }
{ NR Node 10.1.2.11
IPv4[0].addr = 10.1.2.11 IPv4[0].net = 0.0.0.0 IPv4[0].mask = 0 IPv4[0].natfw.useAsExternalAddress = yes IPv4[0].natfw.isPrivateNet = no natfw.isNAT = no natfw.isFW = no }
Ethereal dump:
Frame 1 (190 bytes on wire, 190 bytes captured) Protocols in frame: eth:ip:udp:gist Internet Protocol, Src Addr: 10.1.1.5 (10.1.1.5), Dst Addr: 10.1.2.11 (10.1.2.11) User Datagram Protocol, Src Port: 33113 (33113), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Query (0)
Frame 2 (226 bytes on wire, 226 bytes captured) Protocols in frame: eth:ip:udp:gist Internet Protocol, Src Addr: 10.1.1.7 (10.1.1.7), Dst Addr: 10.1.1.5 (10.1.1.5) User Datagram Protocol, Src Port: 33086 (33086), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: response (1)
Frame 3 (254 bytes on wire, 254 bytes captured) Protocols in frame: eth:ip:icmp:ip:udp:gist Internet Protocol, Src Addr: 10.1.1.5 (10.1.1.5), Dst Addr: 10.1.1.7 (10.1.1.7) Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Checksum: 0x13dc (correct) Internet Protocol, Src Addr: 10.1.1.7 (10.1.1.7), Dst Addr: 10.1.1.5 (10.1.1.5) User Datagram Protocol, Src Port: 33086 (33086), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: response (1)
Frame 7 (182 bytes on wire, 182 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.1.5 (10.1.1.5), Dst Addr: 10.1.1.7 (10.1.1.7) Transmission Control Protocol, Src Port: 42338 (42338), Dst Port: 32000 (32000), Seq: 1, Ack: 1, Len: 116 General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Confirm (2)
Frame 9 (206 bytes on wire, 206 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.1.5 (10.1.1.5), Dst Addr: 10.1.1.7 (10.1.1.7) Transmission Control Protocol, Src Port: 42338 (42338), Dst Port: 32000 (32000), Seq: 117, Ack: 1, Len: 140 General Internet Signaling Transport NAT/FW NSLP (NSIS Signaling Layer Protocol) Message Type: CREATE (0x01)
Frame 11 (190 bytes on wire, 190 bytes captured) Protocols in frame: eth:ip:udp:gist Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) User Datagram Protocol, Src Port: 33086 (33086), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Query (0)
Frame 12 (218 bytes on wire, 218 bytes captured) Protocols in frame: eth:ip:icmp:ip:udp:gist Internet Protocol, Src Addr: 10.1.2.11 (10.1.2.11), Dst Addr: 10.1.2.7 (10.1.2.7) Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) User Datagram Protocol, Src Port: 33086 (33086), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Query (0)
Frame 13 (226 bytes on wire, 226 bytes captured) Protocols in frame: eth:ip:udp:gist Internet Protocol, Src Addr: 10.1.2.11 (10.1.2.11), Dst Addr: 10.1.2.7 (10.1.2.7) User Datagram Protocol, Src Port: 33062 (33062), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Response (1)
Frame 14 (254 bytes on wire, 254 bytes captured) Protocols in frame: eth:ip:icmp:ip:udp:gist Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Internet Protocol, Src Addr: 10.1.2.11 (10.1.2.11), Dst Addr: 10.1.2.7 (10.1.2.7) User Datagram Protocol, Src Port: 33062 (33062), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Response (1)
Frame 18 (182 bytes on wire, 182 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) Transmission Control Protocol, Src Port: 34969 (34969), Dst Port: 32000 (32000), Seq: 1, Ack: 1, Len: 116 General Internet Signaling Transport
Frame 20 (206 bytes on wire, 206 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) Transmission Control Protocol, Src Port: 34969 (34969), Dst Port: 32000 (32000), Seq: 117, Ack: 1, Len: 140 General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Data (3) NAT/FW NSLP (NSIS Signaling Layer Protocol)
Frame 22 (182 bytes on wire, 182 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.2.11 (10.1.2.11), Dst Addr: 10.1.2.7 (10.1.2.7) Transmission Control Protocol, Src Port: 32000 (32000), Dst Port: 34969 (34969), Seq: 1, Ack: 257, Len: 116 General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Data (3) NAT/FW NSLP (NSIS Signaling Layer Protocol)
Frame 24 (182 bytes on wire, 182 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.1.7 (10.1.1.7), Dst Addr: 10.1.1.5 (10.1.1.5) Transmission Control Protocol, Src Port: 32000 (32000), Dst Port: 42338 (42338), Seq: 1, Ack: 257, Len: 116 General Internet Signaling Transport NAT/FW NSLP (NSIS Signaling Layer Protocol) Message Type: RESPONSE (0x04)
Regards,
Sergio
Nsis_Imp mailing list Nsis_Imp@informatik.uni-goettingen.de https://user.informatik.uni-goettingen.de/mailman/listinfo/nsis_imp