Re: Why does Debian allow all incoming traffic by default

To: debian-user@lists.debian.org
Subject: Re: Why does Debian allow all incoming traffic by default
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Thu, 27 Sep 2018 13:49:49 +0200
Message-id: <[🔎] 4990a7dd-1c87-87f8-04ea-c973412471b3@plouf.fr.eu.org>
In-reply-to: <[🔎] 20180923094112.715bc948@jresid.jretrading.com>
References: <[🔎] da96e6a3-ac34-8d4f-7784-4776e95aee5f@gmail.com> <[🔎] bh6g7f-m69.ln1@anthive.com> <[🔎] 20180922083919.702085e1@jresid.jretrading.com> <[🔎] 988ffafb-253f-ed90-af69-13153cec5a88@plouf.fr.eu.org> <[🔎] 20180922121111.60d4b42c@jresid.jretrading.com> <[🔎] f7cbabee-1809-1be6-458b-9bd87e291ad6@plouf.fr.eu.org> <[🔎] 20180923094112.715bc948@jresid.jretrading.com>

Le 23/09/2018 à 10:41, Joe a écrit :

On Sat, 22 Sep 2018 17:07:59 +0200
Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:

PPTP does require specific NAT support for the GRE protocol.
Use case : two clients of the same PPTP server share the same public
IP address.


It doesn't work, see below.


It can work if and only if the NAT device has specific support for PPTP.

The GRE header used by PPTP contains a "Call ID" field which acts as asort of destination port and can be used to associate the packet with anexisting PPTP session.

The second
person to make the attempt could not make contact until about two
minutes after the first had disconnected.


Yes, until the GRE mapping created for the previous session has expired.

The server sends a GRE packet to the public IP address. How does the
NAT device know which client the packet must be forwarded to ?


Because NAT requires the maintenance of a table of connections, with
source and destination IP addresses, which is exactly what is required
by both stateful firewalling and connection tracking. In this case, for
the first GRE packet, it is connection tracking which uses the table
data to route the packet to the machine with an existing TCP/1723
connection from the same source address.

If the NAT layer has no specific support for PPTP, there is norelationship between the TCP control connection and the GRE streams. Ifthe first GRE packet is sent by the PPTP server, it is just discarded bythe NAT box because no mapping exists yet. The first GRE packet sent bya private client creates a NAT mapping which is used to forwardsubsequent packets sent by the server.

What you can't do with PPTP is make multiple connections between the
same two NAT machines, for this same reason, because GRE doesn't have
the means for being tied to one particular TCP/1723 path. It doesn't
carry the same meta information as does the TCP protocol.

Actually it does, as I mentioned above. When establishing a session overthe TCP control connection, the client and server exchange "Call ID"numbers which are present in the header of the GRE packets sent withinthat session. The Call ID field can be used by NAT as a destination port.


AFAIK, Netfilter PPTP/GRE conntrack and NAT helper modules use it.

Reply to:

References:
- Why does Debian allow all incoming traffic by default
  - From: Subhadip Ghosh <subhadip.sky@gmail.com>
- Re: Why does Debian allow all incoming traffic by default
  - From: songbird <songbird@anthive.com>
- Re: Why does Debian allow all incoming traffic by default
  - From: Joe <joe@jretrading.com>
- Re: Why does Debian allow all incoming traffic by default
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Why does Debian allow all incoming traffic by default
  - From: Joe <joe@jretrading.com>
- Re: Why does Debian allow all incoming traffic by default
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>
- Re: Why does Debian allow all incoming traffic by default
  - From: Joe <joe@jretrading.com>

Prev by Date: UPDATE - was [Re: Distinguish instances of GUI file manager by color]
Next by Date: Re: question about ls
Previous by thread: Re: Why does Debian allow all incoming traffic by default
Next by thread: Re: Why does Debian allow all incoming traffic by default
Index(es):
- Date
- Thread