[CentOS] Firewall frustration

Fri Jan 4 15:12:12 UTC 2008
Robert Moskowitz <rgm at htt-consult.com>

Christopher Chan wrote:
>
>> ip src/dest is used for routing decisions by the kernel. The IP state 
>> machine (check the RFC or any decent TCP/IP textbook) is really quite 
>> simple. But iptables sticks its nose into the center of that state 
>> machine and can mangle addresses to change how packets flow through 
>> the machine, or just simplely yank packets right out of the machine 
>> with a simple NO (drop).
>>
>> So in my mind's eye of the IP state machine (my MSU CPS 410 prof was 
>> death on state machines; turn in a perfectly executing assignment 
>> without one and there went half your grade. See HIP for its state 
>> machine) is dictated by iptables as to what it is allowed to route.
>
> That just means iptables can influence routing by manipulating packet 
> headers. Routing is still controlled by the kernel. 
We are playing with words here, and english tends to be too rich in 
interpretation. I work on standards. I let one regional joke left in an 
RFC: 2410, the Null ESP cipher. There we joke about the null cipher 
having a key length of zero. A very America joke for at the time we were 
killing aspects of the ITAR control on crypto export. But a few years 
later, over at my day job at ICSAlabs, we are trying to figure out why 
this one firewall product for TW is not working with the others. The 
connections are terminated in the ISAKMP negotiation. We dig down and 
find that there is an ISAKMO ESP-NULL proposal with a key payload with a 
value of zero. No one else is accepting this and rejects the whole 
ISAKMP exchange per the ISAKMP RFC. We then find a few other IPsec 
implementations coming out like this and all the authors are people 
following on, just reading the RFCs and NOT getting the joke. There are 
some MAD developers as they have to change their code,and some blushing 
IETFers as we realize we have to maintain the lore of the RFC 
development as there are other RFCs with zingers in them.

Over at the IEEE 802, we are voting ballots on wording that can be 
interpreted on way with the Webster dictionary and another with the 
Oxford dictionary.

So I am right about iptables controlling routing and you are right about 
iptables NOT controlling routing, only influencing it. What does 
'control' mean in this context? IEEE is really big on state machines and 
truly covers the transfer of 'control' from one layer to another. Look 
at the MLME in 802.11. Look at the 802.1X machines. So since I have to 
live this control architecture and work in live debates about what layer 
is controling what, I have a particular language set.


BTW, should we table this debate? Webster says that means stopping, 
'taking the subject off the table.' Oxford says that means to start, 
'placing the subject on the table.' Boy did we have some moments back in 
the mid-90s with the ISO crowd descended on the IETF. Also can we reach 
a concensus here? Webster will accept a majority, Oxford wants complete 
agreement. (Or at least that is what these sources said back in the 
mid-90s when we lived Bernard Shaw's line of: 'Two nations separated by 
a common language')


:)

Now I have to hop over to the Asterisk list to figure why with one 
firewall the INVITE properly redirects the RTP to the RTP server, and 
the with the other firewall this is not in the INVITE so the RTP flow 
does not..... ARGH!!!!!