dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
7
share rss forum feed


jdong
Eat A Beaver, Save A Tree.
Premium
join:2002-07-09
Rochester, MI
kudos:1
reply to jdong

Re: D-Link 524 Router: Letting a few packets throu

Ok, let me clarify:

I establish an outgoing connection to a bittorrent peer. All incoming BT data from that peer is NAT'ted to me.

However, when I close the connection, I always get 5 or so unsolicited packets being NAT'ted in. Even though I closed the connection, NAT is still routing that source to me!
--
Official Ubuntu Linux Forum Super Moderator: try Ubuntu Linux


TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
East Stroudsburg, PA
kudos:3
Reviews:
·Optimum Online

1 edit

1 recommendation

NAT is not stateful. But technically even in a stateful firewall, if you Close a connection, some packets should be allowed Inbound from the other user. You would need to run a packet sniffer to see if the router is allowing packets it shouldn't or if IPTables was denying those it should have allowed, though both could be Allowing/Denying packets correctly.

Background Information
»www.freesoft.org/CIE/Course/Section4/11.htm

see figure 6
»www.faqs.org/rfcs/rfc793.html

Part of whether the firewall allows the packets would depend on how the connection is closed and whether a RST or FIN is sent.

»www.faqs.org/docs/iptables/tcpco···ons.html

said by Iptables Tutorial 1.1.19:

If the connection is reset by a RST packet, the state is changed to CLOSE. This means that the connection per default have 10 seconds before the whole connection is definitely closed down. RST packets are not acknowledged in any sense, and will break the connection directly.
Also timing is important and not absolute.
said by Iptables Tutorial 1.1.19:

Here is the complete list of possible states that a TCP stream may take, and their timeout values.

Table 4-2. Internal states
State           Timeout value
NONE 30 minutes
ESTABLISHED 5 days
SYN_SENT 2 minutes
SYN_RECV 60 seconds
FIN_WAIT 2 minutes
TIME_WAIT 2 minutes
CLOSE 10 seconds
CLOSE_WAIT 12 hours
LAST_ACK 30 seconds
LISTEN> 2 minutes
These values are most definitely not absolute. They may change with kernel revisions, and they may also be changed via the proc file-system in the /proc/sys/net/ipv4/netfilter/ip_ct_tcp_* variables. The default values should, however, be fairly well established in practice. These values are set in jiffies (or 1/100th parts of seconds), so 3000 means 30 seconds.
So while both may be stateful they may have different timeout values for the states.

--
Dog and Butterfly

VirtualLarry
Premium
join:2003-08-01
Reviews:
·DSL EXTREME
reply to jdong

said by jdong:

However, when I close the connection, I always get 5 or so unsolicited packets being NAT'ted in. Even though I closed the connection, NAT is still routing that source to me!
Just a thought, but those routers do buffer some packets - perhaps when you clicked "stop" in the software on the host system, those packets were already en-route somewhere, possibly already sitting in buffers on the router. Another might be (if they are UDP), that since UDP isn't connection-oriented, NAT devices have to fake the statefulness, and they do that via a timeout mechanism, which I would assume would probably leave a window on the order of 30s or so for packets to continue to find their way in.