Hi Jeff! On 15 Feb 2006, at 16:12, Jeffrey Altman wrote:
It seems like this UDP-based NAT has a lot more problems than I was aware of. If the firewall were to do NAT based on the RX connections instead, would that work? What I have in mind is a scheme where a (potentially large) number of clients are behind a firewall which looks to a server like a single client with very many open RX connections, all on port 7001. Are there limitations? Does anybody know of a RX-aware connection tracking code?Derek Atkins wrote:Quoting Jeffrey Altman <[EMAIL PROTECTED]>:True, but a) that assumes multiple clients behind a NAT (which isn't always the case), and b) server support to track by port was added a while ago,even if there are still bugs in it.The port tracking code was broken enough that it might as well have not been there. Once the connection dropped the server would always attemptto contact the client on port 7001 regardless of what port was used. If you had more than one client behind a NAT, only one of the clients would ever get callback breaks. I haven't thought through all of the ramifications of decreasing the time between pings for a large number of clients. Too be honest, I don't want to. My head hurts enough already.
Ciao,
Roland
--
TU Muenchen, Physik-Department E18, James-Franck-Str., 85748 Garching
Telefon 089/289-12575; Telefax 089/289-12570
--
CERN office: 892-1-D23 phone: +41 22 7676540 mobile: +41 76 487 4482
--
UNIX was not designed to stop you from doing stupid things, because that
would also stop you from doing clever things.
-Doug Gwyn
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GS/CS/M/MU d-(++) s:+ a-> C+++ UL++++ P+++ L+++ E(+) W+ !N K- w--- M
+ !V Y+
PGP++ t+(++) 5 R+ tv-- b+ DI++ e+++>++++ h---- y+++ ------END GEEK CODE BLOCK------
PGP.sig
Description: This is a digitally signed message part
