[OpenAFS-devel] nat mode
Roland Kuhn
rkuhn@e18.physik.tu-muenchen.de
Thu, 16 Feb 2006 10:53:45 +0100
--Apple-Mail-21-715151801
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Hi Jeff!
On 15 Feb 2006, at 16:12, Jeffrey Altman wrote:
> Derek Atkins wrote:
>> Quoting Jeffrey Altman <jaltman@secure-endpoints.com>:
>> True, but a) that assumes multiple clients behind a NAT (which
>> isn't always
>> the case), and b) server support to track by port was added a
>> while ago,
>> even if there are still bugs in it.
>
> The port tracking code was broken enough that it might as well have
> not
> been there. Once the connection dropped the server would always
> attempt
> to contact the client on port 7001 regardless of what port was used.
>
> If you had more than one client behind a NAT, only one of the clients
> would ever get callback breaks.
>
> I haven't thought through all of the ramifications of decreasing the
> time between pings for a large number of clients. Too be honest, I
> don't want to. My head hurts enough already.
>
It seems like this UDP-based NAT has a lot more problems than I was
aware of. If the firewall were to do NAT based on the RX connections
instead, would that work? What I have in mind is a scheme where a
(potentially large) number of clients are behind a firewall which
looks to a server like a single client with very many open RX
connections, all on port 7001. Are there limitations? Does anybody
know of a RX-aware connection tracking code?
Ciao,
Roland
--
TU Muenchen, Physik-Department E18, James-Franck-Str., 85748 Garching
Telefon 089/289-12575; Telefax 089/289-12570
--
CERN office: 892-1-D23 phone: +41 22 7676540 mobile: +41 76 487 4482
--
UNIX was not designed to stop you from doing stupid things, because that
would also stop you from doing clever things.
-Doug Gwyn
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GS/CS/M/MU d-(++) s:+ a-> C+++ UL++++ P+++ L+++ E(+) W+ !N K- w--- M
+ !V Y+
PGP++ t+(++) 5 R+ tv-- b+ DI++ e+++>++++ h---- y+++
------END GEEK CODE BLOCK------
--Apple-Mail-21-715151801
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (Darwin)
iD8DBQFD9EutI4MWO8QIRP0RAg5sAKCjwKB+s0BOz3QDvQ6mjDZUhco0KwCdE7ng
eh63Kd6CYknSnUaJqe2Nx0M=
=Oi3j
-----END PGP SIGNATURE-----
--Apple-Mail-21-715151801--