Re: [GD-General] NAT Negotiation
Brought to you by:
vexxed72
Menu
▾
▴
Re: [GD-General] NAT Negotiation
|
From: Aaron D. <ri...@in...> - 2004-01-12 22:53:27
|
On Mon, 12 Jan 2004 10:49 pm, Magnus Auvinen wrote: > Now the C1 and C2 can communicate with each other. I don't know if this > works because of the assumption at point 4. You could perhaps use some > other algorithm to predict what port will be the next one (don't have PP > installed so I can't look at the .ppt file). This is a *BAD* idea. I know that Linux doesn't just use the local port number for NAT connections but also the external destination address and destination port number. This is the most correct way to operate (especially from a security point of view) and any NAT implementation that relies on anything less (such as _only_ the local port number as you suggest) is clearly broken and should NOT be relied upon. The ONLY reliable way to do this is to have some mutually accessible server in the middle and use it to explicitly relay traffic between NATed clients. For the more educated users, port forwarding on the NAT device can allow incoming connections in but there is currently no (universal) NAT technology that allows a client to open a listening socket on the NAT device. The closest technology I can think of is Windows connection sharing but you won't find that being used in 95% of all NAT devices on the Internet (most will be ADSL/Cable modems). |
