dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
647

jdong
Eat A Beaver, Save A Tree.
Premium Member
join:2002-07-09
Rochester, MI

jdong

Premium Member

D-Link 524 Router: Letting a few packets through?

DISCLAIMER: I am NOT a paranoid freak! I want an educational discussion, not the whole arent-you-too-paranoid thing....

I've noticed that the above-modelled router (I replaced my Linux router with it -- needed Wifi and an extra computer!) lets some unsolicited packets through -- on everything from web browsing to torrenting.

Symptom: Usually immediately after aborting a torrent, I'll get 2-3 packets getting NATted in by the router to my desktop, but my IPTables-based Linux firewall rejects the packets as unsolicited.

So, back to a topic I started a LONG time ago: Are all NAT devices stateful?

Why are these packets going through?
B04
Premium Member
join:2000-10-28

B04

Premium Member

Re: D-Link 524 Router: Letting a few packets throu


Please explain. BitTorrent won't work a damn unless you specifically open the inbound ports at the router. So I assume you've done that.

And of course BitTorrent effectively forces you to upload while you download.

So isn't that port always open as far as the router's concerned? So the only question is why it continues to forward the inbound traffic to your PARTICULAR private address?

And then the answer would be, because the sessions YOU established with outside hosts, typically several to many for a BitTorrent session, have been in active communication with you and continue to try to reach you after you've stopped, and that the time-out period for the NAT table has yet to be reached?

It's not as if STRANGE hosts can use this window -- I think they'd have to be hosts who had ALREADY established a successful session with you, or vice versa. No?

-- B

jdong
Eat A Beaver, Save A Tree.
Premium Member
join:2002-07-09
Rochester, MI

jdong

Premium Member

Ok, let me clarify:

I establish an outgoing connection to a bittorrent peer. All incoming BT data from that peer is NAT'ted to me.

However, when I close the connection, I always get 5 or so unsolicited packets being NAT'ted in. Even though I closed the connection, NAT is still routing that source to me!
TheWiseGuy
Dog And Butterfly
MVM
join:2002-07-04
East Stroudsburg, PA

1 edit

1 recommendation

TheWiseGuy

MVM

NAT is not stateful. But technically even in a stateful firewall, if you Close a connection, some packets should be allowed Inbound from the other user. You would need to run a packet sniffer to see if the router is allowing packets it shouldn't or if IPTables was denying those it should have allowed, though both could be Allowing/Denying packets correctly.

Background Information
»www.freesoft.org/CIE/Cou ··· 4/11.htm

see figure 6
»www.faqs.org/rfcs/rfc793.html

Part of whether the firewall allows the packets would depend on how the connection is closed and whether a RST or FIN is sent.

»www.faqs.org/docs/iptabl ··· ons.html
said by Iptables Tutorial 1.1.19:

If the connection is reset by a RST packet, the state is changed to CLOSE. This means that the connection per default have 10 seconds before the whole connection is definitely closed down. RST packets are not acknowledged in any sense, and will break the connection directly.
Also timing is important and not absolute.
said by Iptables Tutorial 1.1.19:

Here is the complete list of possible states that a TCP stream may take, and their timeout values.

Table 4-2. Internal states
State           Timeout value
NONE 30 minutes
ESTABLISHED 5 days
SYN_SENT 2 minutes
SYN_RECV 60 seconds
FIN_WAIT 2 minutes
TIME_WAIT 2 minutes
CLOSE 10 seconds
CLOSE_WAIT 12 hours
LAST_ACK 30 seconds
LISTEN> 2 minutes
These values are most definitely not absolute. They may change with kernel revisions, and they may also be changed via the proc file-system in the /proc/sys/net/ipv4/netfilter/ip_ct_tcp_* variables. The default values should, however, be fairly well established in practice. These values are set in jiffies (or 1/100th parts of seconds), so 3000 means 30 seconds.
So while both may be stateful they may have different timeout values for the states.

jdong
Eat A Beaver, Save A Tree.
Premium Member
join:2002-07-09
Rochester, MI

jdong

Premium Member

ok, I think that explains it. thanks.
VirtualLarry
Premium Member
join:2003-08-01

VirtualLarry to jdong

Premium Member

to jdong
said by jdong:

However, when I close the connection, I always get 5 or so unsolicited packets being NAT'ted in. Even though I closed the connection, NAT is still routing that source to me!
Just a thought, but those routers do buffer some packets - perhaps when you clicked "stop" in the software on the host system, those packets were already en-route somewhere, possibly already sitting in buffers on the router. Another might be (if they are UDP), that since UDP isn't connection-oriented, NAT devices have to fake the statefulness, and they do that via a timeout mechanism, which I would assume would probably leave a window on the order of 30s or so for packets to continue to find their way in.