[nos-bbs] UDP Port Unreachable - problem found
Michael E. Fox - N6MEF
n6mef at mefox.org
Sat Nov 16 01:33:34 EST 2013
I found the problem with the UDP port 93 unreachable message: JNOS is
(incorrectly) requiring the source port to also be 93 in AXUDP connections.
When I connect outbound from my JNOS system, through my firewall, the
firewall is changing the source port when it performs the outbound NAT. But
this is normal for a firewall. In fact, it HAS to do this if it's going to
allow for multiple connects of the same protocol from different machines.
Many consumer-grade firewalls will leave the source port alone for the first
connection (if it's not already in use) and only change it for subsequent
connections. SonicWall is a bit more strict, frequently changing the source
port, making it harder for intercepted packets to be tracked to any one
machine.
Normally, this doesn't matter. Applications/services listen on a particular
port and respond to whatever incoming connections use that *destination*
port. They don't care what the source port is. Firewalls then use
different source ports to track multiple conversations so that when the
packets return, all addressed to the same external NAT address, it can
direct them to the proper place by the port number.
But when JNOS receives an AXUDP packet, apparently it doesn't behave like a
normal UDP application. JNOS apparently rejects the connection if the
*source* port is not 93, even if the destination port is correctly set to
93. This is unusual, to say the least. But even worse, it issues an ICMP
"udp port 93 unreachable" message which is completely wrong, since port 93
is definitely reachable.
It seems the following is needed: Remove the source port restriction for
AXUDP. JNOS should not care what the source port is. And, just like any
other UDP app, when responding it should use whatever source port was
specified as the destination port when it constructs the return packet.
Michael
N6MEF
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tapr.org/pipermail/nos-bbs_lists.tapr.org/attachments/20131115/81e2b44e/attachment.html>
More information about the nos-bbs
mailing list