Re: IP Firewalling/Redirect

Major'Trips' (major@jimco-fwt.com)
Tue, 5 Jan 1999 17:34:36 -0600


On Wed, Jan 06, 1999 at 09:53:20AM +1100, John Newnham wrote:
> In article <19990103234550.A3743@jimco-fwt.com> you write:
> > On Sun, Jan 03, 1999 at 05:50:38AM -0600, Major'Trips' wrote:
> > > Problems came when I tried to ping/telnet ..ect.. ( use anything
> > > other then nslookup ). The request would hang and I would get back
> > > something to the aspect of "host not found" after a timeout period.
> ...
> > Thusly I would reccomend that apon handling a redirection on
> > the input I would think the output of that port would need to
> > be translated in some way to perform a trully transparent
> > feature.
>
> UDP is a datagram protocol. It does not form a virtual circuit.
>
> TCP is a connected protocol. It _does_ form a circuit, as soon as
> the connection is made. The circuit carries data in both directions.
>
> You have redirected the UDP traffic flowing in one direction.
> You have _not_ redirected the UDP traffic flowing in the other
> direction.
>
> Things are working exactly as they are designed to work.
>
> bfn,
>
> ashtray

ipfwadm man page:
-r [port]
Redirect packets to a local socket. When this
option is set, packets accepted by this rule will
be redirected to a local socket, even if they were
sent to a remote host. If the specified redirec-
tion port is 0, which is the default value, the
destination port of a packet will be used as the
redirection port. This option is only valid in
input firewall rules with policy accept and can
only be used when the Linux kernel is compiled with
CONFIG_IP_TRANSPARENT_PROXY defined.

ipchains manpage:
REDIRECT is only legal for the input and user-defined
chains and can only be used when the Linux kernel is com-
piled with CONFIG_IP_TRANSPARENT_PROXY defined. With
this, packets will be redirected to a local socket, even
if they were sent to a remote host. If the specified
redirection port is 0, which is the default value, the
destination port of a packet will be used as the redirec-
tion port. When this target is used, an optional extra
argument (the port number) can be supplied.

Both man pages show that the redirect rule is only legal for
the input rule. It is possible to do a redirection on
the oubound .. but that seems to entail spawning a user
land application that utilizes the MSG_PROXY on the socket
itself. In short, bind to the socket and handle redirection
from user land.

If UDP Redirection via the kernel firewalling rules cannot
be handled then why is it an option?

-- 
   "Reality is what you can get away with!"
                      ++Robert Anton Wilson
   Major'Trips'
   E-Mail   : shadow@cyberwizards.com || major@jimco-fwt.com

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/