Re: [Nsis_imp] NATFW CREATE. ICMP Destination unreachable

Hi Sergio,

these ICMP packets are triggered by your TCP/IP stack, because there is no process listening on these ports.

There is nothing wrong here, this is absolutely expected the way how GIST intercepts packets (BPF, raw sockets).

I have not looked into your dumps in detail, but I assume that this problem is not related to a particular NSLP, but GIST (try Ping NSLP).

Right now we don't bother about this or filter it in a fw outbound chain (ugly!). Finally, we need sth. clean here, of course. Suggestions?

Henning

sergiole@tml.hut.fi wrote:

Hello,

I have some ICMP packets with the content (Destination unreachable) / (Port unreachable) when I use CREATE in NATFW. Could you suggest if it is a problem of the implementation or configuration?

The scenario is

       DS NI                       NF                         NR
     10.1.1.5              10.1.1.7 / 10.1.2.7             10.1.2.11
         .                          .                          .
         .                          .                          .
         .---------CREATE---------->.                          .
         .                          .                          .
         .                          .---------CREATE---------->.
         .                          .                          .
         .                          .<-------RESPONSE----------.
         .<-------RESPONSE----------.                          .
        .                          .                          .

by using in the NI: ./nsis-natfw --create -s 10.1.1.5 -d 10.1.2.11 --sport 5004 --dport 5019

The flow above is Ok, but I have some ICMP packets with the content (Destination unreachable) / (Port unreachable). Frames 3, 12 and 14 below.

Config.ini are as follows

{ NI Node 10.1.1.5

IPv4[0].addr = 10.1.1.5 IPv4[0].net = 0.0.0.0 IPv4[0].mask = 0 IPv4[0].natfw.useAsExternalAddress = yes IPv4[0].natfw.isPrivateNet = yes natfw.isNAT = no natfw.isFW = no }

{ NF Node 10.1.1.7 / 10.1.2.7

IPv4[0].addr = 10.1.1.7 IPv4[0].net = 10.1.1.0 IPv4[0].mask = 24 IPv4[0].natfw.useAsExternalAddress = no IPv4[0].natfw.isPrivateNet = yes

IPv4[1].addr = 10.1.2.7 IPv4[1].net = 10.1.2.0 IPv4[1].mask = 24 IPv4[1].natfw.useAsExternalAddress = yes IPv4[1].natfw.isPrivateNet = no natfw.isNAT = no natfw.isFW = yes }

{ NR Node 10.1.2.11

IPv4[0].addr = 10.1.2.11 IPv4[0].net = 0.0.0.0 IPv4[0].mask = 0 IPv4[0].natfw.useAsExternalAddress = yes IPv4[0].natfw.isPrivateNet = no natfw.isNAT = no natfw.isFW = no }

Ethereal dump:

Frame 1 (190 bytes on wire, 190 bytes captured) Protocols in frame: eth:ip:udp:gist Internet Protocol, Src Addr: 10.1.1.5 (10.1.1.5), Dst Addr: 10.1.2.11 (10.1.2.11) User Datagram Protocol, Src Port: 33113 (33113), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Query (0)

Frame 2 (226 bytes on wire, 226 bytes captured) Protocols in frame: eth:ip:udp:gist Internet Protocol, Src Addr: 10.1.1.7 (10.1.1.7), Dst Addr: 10.1.1.5 (10.1.1.5) User Datagram Protocol, Src Port: 33086 (33086), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: response (1)

Frame 3 (254 bytes on wire, 254 bytes captured) Protocols in frame: eth:ip:icmp:ip:udp:gist Internet Protocol, Src Addr: 10.1.1.5 (10.1.1.5), Dst Addr: 10.1.1.7 (10.1.1.7) Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Checksum: 0x13dc (correct) Internet Protocol, Src Addr: 10.1.1.7 (10.1.1.7), Dst Addr: 10.1.1.5 (10.1.1.5) User Datagram Protocol, Src Port: 33086 (33086), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: response (1)

Frame 7 (182 bytes on wire, 182 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.1.5 (10.1.1.5), Dst Addr: 10.1.1.7 (10.1.1.7) Transmission Control Protocol, Src Port: 42338 (42338), Dst Port: 32000 (32000), Seq: 1, Ack: 1, Len: 116 General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Confirm (2)

Frame 9 (206 bytes on wire, 206 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.1.5 (10.1.1.5), Dst Addr: 10.1.1.7 (10.1.1.7) Transmission Control Protocol, Src Port: 42338 (42338), Dst Port: 32000 (32000), Seq: 117, Ack: 1, Len: 140 General Internet Signaling Transport NAT/FW NSLP (NSIS Signaling Layer Protocol) Message Type: CREATE (0x01)

Frame 11 (190 bytes on wire, 190 bytes captured) Protocols in frame: eth:ip:udp:gist Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) User Datagram Protocol, Src Port: 33086 (33086), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Query (0)

Frame 12 (218 bytes on wire, 218 bytes captured) Protocols in frame: eth:ip:icmp:ip:udp:gist Internet Protocol, Src Addr: 10.1.2.11 (10.1.2.11), Dst Addr: 10.1.2.7 (10.1.2.7) Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) User Datagram Protocol, Src Port: 33086 (33086), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Query (0)

Frame 13 (226 bytes on wire, 226 bytes captured) Protocols in frame: eth:ip:udp:gist Internet Protocol, Src Addr: 10.1.2.11 (10.1.2.11), Dst Addr: 10.1.2.7 (10.1.2.7) User Datagram Protocol, Src Port: 33062 (33062), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Response (1)

Frame 14 (254 bytes on wire, 254 bytes captured) Protocols in frame: eth:ip:icmp:ip:udp:gist Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) Internet Control Message Protocol Type: 3 (Destination unreachable) Code: 3 (Port unreachable) Internet Protocol, Src Addr: 10.1.2.11 (10.1.2.11), Dst Addr: 10.1.2.7 (10.1.2.7) User Datagram Protocol, Src Port: 33062 (33062), Dst Port: 4 (4) General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Response (1)

Frame 18 (182 bytes on wire, 182 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) Transmission Control Protocol, Src Port: 34969 (34969), Dst Port: 32000 (32000), Seq: 1, Ack: 1, Len: 116 General Internet Signaling Transport

Frame 20 (206 bytes on wire, 206 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.2.7 (10.1.2.7), Dst Addr: 10.1.2.11 (10.1.2.11) Transmission Control Protocol, Src Port: 34969 (34969), Dst Port: 32000 (32000), Seq: 117, Ack: 1, Len: 140 General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Data (3) NAT/FW NSLP (NSIS Signaling Layer Protocol)

Frame 22 (182 bytes on wire, 182 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.2.11 (10.1.2.11), Dst Addr: 10.1.2.7 (10.1.2.7) Transmission Control Protocol, Src Port: 32000 (32000), Dst Port: 34969 (34969), Seq: 1, Ack: 257, Len: 116 General Internet Signaling Transport Signaling Application ID: NAT/FW NSLP (3) Type: Data (3) NAT/FW NSLP (NSIS Signaling Layer Protocol)

Frame 24 (182 bytes on wire, 182 bytes captured) Protocols in frame: eth:ip:tcp:gist Internet Protocol, Src Addr: 10.1.1.7 (10.1.1.7), Dst Addr: 10.1.1.5 (10.1.1.5) Transmission Control Protocol, Src Port: 32000 (32000), Dst Port: 42338 (42338), Seq: 1, Ack: 257, Len: 116 General Internet Signaling Transport NAT/FW NSLP (NSIS Signaling Layer Protocol) Message Type: RESPONSE (0x04)

Regards,

Sergio

---

Nsis_Imp mailing list Nsis_Imp@informatik.uni-goettingen.de https://user.informatik.uni-goettingen.de/mailman/listinfo/nsis_imp